Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0453
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 16.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 25.10",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 14.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 22.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-36903",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36903"
},
{
"name": "CVE-2025-71075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71075"
},
{
"name": "CVE-2025-40273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40273"
},
{
"name": "CVE-2025-68805",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68805"
},
{
"name": "CVE-2026-23202",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23202"
},
{
"name": "CVE-2025-39987",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39987"
},
{
"name": "CVE-2025-71086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71086"
},
{
"name": "CVE-2026-23167",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23167"
},
{
"name": "CVE-2025-21861",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21861"
},
{
"name": "CVE-2025-71065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71065"
},
{
"name": "CVE-2025-68374",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68374"
},
{
"name": "CVE-2026-23098",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23098"
},
{
"name": "CVE-2025-68286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68286"
},
{
"name": "CVE-2025-68793",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68793"
},
{
"name": "CVE-2025-71094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71094"
},
{
"name": "CVE-2025-68788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68788"
},
{
"name": "CVE-2025-40055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40055"
},
{
"name": "CVE-2025-39876",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39876"
},
{
"name": "CVE-2025-40314",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40314"
},
{
"name": "CVE-2025-40029",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40029"
},
{
"name": "CVE-2025-40306",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40306"
},
{
"name": "CVE-2025-68778",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68778"
},
{
"name": "CVE-2025-40048",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40048"
},
{
"name": "CVE-2025-40254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40254"
},
{
"name": "CVE-2025-71064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71064"
},
{
"name": "CVE-2025-40219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40219"
},
{
"name": "CVE-2025-68200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68200"
},
{
"name": "CVE-2025-68736",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68736"
},
{
"name": "CVE-2025-40043",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40043"
},
{
"name": "CVE-2025-68725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68725"
},
{
"name": "CVE-2025-68176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68176"
},
{
"name": "CVE-2025-68741",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68741"
},
{
"name": "CVE-2025-68204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68204"
},
{
"name": "CVE-2025-68795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68795"
},
{
"name": "CVE-2025-68349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68349"
},
{
"name": "CVE-2025-68380",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68380"
},
{
"name": "CVE-2026-23269",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23269"
},
{
"name": "CVE-2025-39973",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39973"
},
{
"name": "CVE-2025-68339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68339"
},
{
"name": "CVE-2025-39943",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39943"
},
{
"name": "CVE-2025-39945",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39945"
},
{
"name": "CVE-2023-53421",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53421"
},
{
"name": "CVE-2026-22992",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22992"
},
{
"name": "CVE-2022-49465",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49465"
},
{
"name": "CVE-2025-39883",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39883"
},
{
"name": "CVE-2025-71071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71071"
},
{
"name": "CVE-2025-71191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71191"
},
{
"name": "CVE-2025-68295",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68295"
},
{
"name": "CVE-2025-68728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68728"
},
{
"name": "CVE-2025-68364",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68364"
},
{
"name": "CVE-2025-71087",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71087"
},
{
"name": "CVE-2025-68287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68287"
},
{
"name": "CVE-2025-40240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40240"
},
{
"name": "CVE-2025-71135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71135"
},
{
"name": "CVE-2025-40081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40081"
},
{
"name": "CVE-2025-68746",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68746"
},
{
"name": "CVE-2024-58011",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58011"
},
{
"name": "CVE-2025-68773",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68773"
},
{
"name": "CVE-2025-71133",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71133"
},
{
"name": "CVE-2025-40026",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40026"
},
{
"name": "CVE-2025-40153",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40153"
},
{
"name": "CVE-2026-23020",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23020"
},
{
"name": "CVE-2025-68796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68796"
},
{
"name": "CVE-2025-40121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40121"
},
{
"name": "CVE-2025-40312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40312"
},
{
"name": "CVE-2025-40204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40204"
},
{
"name": "CVE-2025-68220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68220"
},
{
"name": "CVE-2025-40171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40171"
},
{
"name": "CVE-2025-68302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68302"
},
{
"name": "CVE-2025-68238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68238"
},
{
"name": "CVE-2025-68804",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68804"
},
{
"name": "CVE-2025-68769",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68769"
},
{
"name": "CVE-2025-68794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68794"
},
{
"name": "CVE-2025-39911",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39911"
},
{
"name": "CVE-2025-40125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40125"
},
{
"name": "CVE-2025-40309",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40309"
},
{
"name": "CVE-2025-40349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40349"
},
{
"name": "CVE-2025-38408",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38408"
},
{
"name": "CVE-2025-71088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71088"
},
{
"name": "CVE-2025-40343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40343"
},
{
"name": "CVE-2026-23090",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23090"
},
{
"name": "CVE-2025-40308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40308"
},
{
"name": "CVE-2025-40187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40187"
},
{
"name": "CVE-2025-40315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40315"
},
{
"name": "CVE-2025-39913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39913"
},
{
"name": "CVE-2026-23064",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23064"
},
{
"name": "CVE-2025-38591",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38591"
},
{
"name": "CVE-2025-68806",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68806"
},
{
"name": "CVE-2025-40092",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40092"
},
{
"name": "CVE-2025-71098",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71098"
},
{
"name": "CVE-2025-21735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21735"
},
{
"name": "CVE-2025-71078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71078"
},
{
"name": "CVE-2025-39967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39967"
},
{
"name": "CVE-2025-71083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71083"
},
{
"name": "CVE-2026-23061",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23061"
},
{
"name": "CVE-2025-40115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40115"
},
{
"name": "CVE-2025-68813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68813"
},
{
"name": "CVE-2026-23047",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23047"
},
{
"name": "CVE-2025-22121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22121"
},
{
"name": "CVE-2025-68365",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68365"
},
{
"name": "CVE-2025-68265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68265"
},
{
"name": "CVE-2026-23119",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23119"
},
{
"name": "CVE-2025-71085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71085"
},
{
"name": "CVE-2026-23268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23268"
},
{
"name": "CVE-2025-71076",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71076"
},
{
"name": "CVE-2025-68344",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68344"
},
{
"name": "CVE-2025-71154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71154"
},
{
"name": "CVE-2025-68229",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68229"
},
{
"name": "CVE-2025-68257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68257"
},
{
"name": "CVE-2025-39949",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39949"
},
{
"name": "CVE-2025-71084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71084"
},
{
"name": "CVE-2025-40173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40173"
},
{
"name": "CVE-2026-23049",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23049"
},
{
"name": "CVE-2025-68321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68321"
},
{
"name": "CVE-2024-56538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56538"
},
{
"name": "CVE-2025-68347",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68347"
},
{
"name": "CVE-2025-39923",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39923"
},
{
"name": "CVE-2025-68770",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68770"
},
{
"name": "CVE-2025-68814",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68814"
},
{
"name": "CVE-2025-68780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68780"
},
{
"name": "CVE-2025-39953",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39953"
},
{
"name": "CVE-2025-71081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71081"
},
{
"name": "CVE-2026-23101",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23101"
},
{
"name": "CVE-2026-23407",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23407"
},
{
"name": "CVE-2026-23099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23099"
},
{
"name": "CVE-2025-40167",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40167"
},
{
"name": "CVE-2025-39969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39969"
},
{
"name": "CVE-2025-71121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71121"
},
{
"name": "CVE-2025-40194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40194"
},
{
"name": "CVE-2025-38022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38022"
},
{
"name": "CVE-2025-40245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40245"
},
{
"name": "CVE-2025-71080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71080"
},
{
"name": "CVE-2023-53520",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53520"
},
{
"name": "CVE-2026-23085",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23085"
},
{
"name": "CVE-2025-40360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40360"
},
{
"name": "CVE-2026-23209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23209"
},
{
"name": "CVE-2025-71136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71136"
},
{
"name": "CVE-2025-68354",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68354"
},
{
"name": "CVE-2025-68801",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68801"
},
{
"name": "CVE-2026-23150",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23150"
},
{
"name": "CVE-2025-71073",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71073"
},
{
"name": "CVE-2025-68258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68258"
},
{
"name": "CVE-2025-40001",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40001"
},
{
"name": "CVE-2025-40035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40035"
},
{
"name": "CVE-2025-40322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40322"
},
{
"name": "CVE-2025-39988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39988"
},
{
"name": "CVE-2025-40313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40313"
},
{
"name": "CVE-2025-71138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71138"
},
{
"name": "CVE-2025-38584",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38584"
},
{
"name": "CVE-2025-40233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40233"
},
{
"name": "CVE-2025-40020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40020"
},
{
"name": "CVE-2024-46777",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46777"
},
{
"name": "CVE-2025-40188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40188"
},
{
"name": "CVE-2025-40271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40271"
},
{
"name": "CVE-2025-68291",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68291"
},
{
"name": "CVE-2025-71117",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71117"
},
{
"name": "CVE-2025-71122",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71122"
},
{
"name": "CVE-2026-22991",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22991"
},
{
"name": "CVE-2025-68763",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68763"
},
{
"name": "CVE-2025-71144",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71144"
},
{
"name": "CVE-2025-68308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68308"
},
{
"name": "CVE-2025-68822",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68822"
},
{
"name": "CVE-2025-68368",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68368"
},
{
"name": "CVE-2026-23408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23408"
},
{
"name": "CVE-2025-38234",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38234"
},
{
"name": "CVE-2026-23207",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23207"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-40049",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40049"
},
{
"name": "CVE-2025-68255",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68255"
},
{
"name": "CVE-2025-21704",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21704"
},
{
"name": "CVE-2026-22980",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22980"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2025-40070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40070"
},
{
"name": "CVE-2025-40106",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40106"
},
{
"name": "CVE-2025-40272",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40272"
},
{
"name": "CVE-2025-68791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68791"
},
{
"name": "CVE-2026-23133",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23133"
},
{
"name": "CVE-2026-23406",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23406"
},
{
"name": "CVE-2025-71093",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71093"
},
{
"name": "CVE-2025-71102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71102"
},
{
"name": "CVE-2026-23170",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23170"
},
{
"name": "CVE-2025-68759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68759"
},
{
"name": "CVE-2026-23019",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23019"
},
{
"name": "CVE-2025-71188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71188"
},
{
"name": "CVE-2025-40345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40345"
},
{
"name": "CVE-2025-40205",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40205"
},
{
"name": "CVE-2026-23125",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23125"
},
{
"name": "CVE-2025-38057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38057"
},
{
"name": "CVE-2025-68733",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68733"
},
{
"name": "CVE-2025-40269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40269"
},
{
"name": "CVE-2025-68335",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68335"
},
{
"name": "CVE-2025-71079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71079"
},
{
"name": "CVE-2026-22997",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22997"
},
{
"name": "CVE-2025-71153",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71153"
},
{
"name": "CVE-2025-68330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68330"
},
{
"name": "CVE-2023-53662",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53662"
},
{
"name": "CVE-2025-71196",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71196"
},
{
"name": "CVE-2025-40027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40027"
},
{
"name": "CVE-2025-39885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39885"
},
{
"name": "CVE-2025-68772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68772"
},
{
"name": "CVE-2024-57795",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57795"
},
{
"name": "CVE-2025-21780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21780"
},
{
"name": "CVE-2026-23078",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23078"
},
{
"name": "CVE-2025-71143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71143"
},
{
"name": "CVE-2025-68768",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68768"
},
{
"name": "CVE-2025-68785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68785"
},
{
"name": "CVE-2025-71130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71130"
},
{
"name": "CVE-2024-37354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37354"
},
{
"name": "CVE-2025-68808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68808"
},
{
"name": "CVE-2025-68783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68783"
},
{
"name": "CVE-2025-39970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39970"
},
{
"name": "CVE-2025-71147",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71147"
},
{
"name": "CVE-2025-68724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68724"
},
{
"name": "CVE-2025-39994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39994"
},
{
"name": "CVE-2026-23103",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23103"
},
{
"name": "CVE-2026-23074",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23074"
},
{
"name": "CVE-2025-71126",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71126"
},
{
"name": "CVE-2025-68786",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68786"
},
{
"name": "CVE-2025-71199",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71199"
},
{
"name": "CVE-2025-68797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68797"
},
{
"name": "CVE-2024-49968",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49968"
},
{
"name": "CVE-2025-40088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40088"
},
{
"name": "CVE-2025-40220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40220"
},
{
"name": "CVE-2025-40257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40257"
},
{
"name": "CVE-2025-68259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68259"
},
{
"name": "CVE-2025-71125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71125"
},
{
"name": "CVE-2024-56581",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56581"
},
{
"name": "CVE-2025-22058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22058"
},
{
"name": "CVE-2025-71108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71108"
},
{
"name": "CVE-2025-71069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71069"
},
{
"name": "CVE-2025-68312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68312"
},
{
"name": "CVE-2025-68284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68284"
},
{
"name": "CVE-2025-68194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68194"
},
{
"name": "CVE-2025-68807",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68807"
},
{
"name": "CVE-2025-40109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40109"
},
{
"name": "CVE-2025-40006",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40006"
},
{
"name": "CVE-2026-23083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23083"
},
{
"name": "CVE-2025-68774",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68774"
},
{
"name": "CVE-2025-40263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40263"
},
{
"name": "CVE-2025-40011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40011"
},
{
"name": "CVE-2026-23108",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23108"
},
{
"name": "CVE-2025-40085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40085"
},
{
"name": "CVE-2025-71180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71180"
},
{
"name": "CVE-2025-38232",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38232"
},
{
"name": "CVE-2025-68244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68244"
},
{
"name": "CVE-2025-40231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40231"
},
{
"name": "CVE-2024-46830",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46830"
},
{
"name": "CVE-2024-47666",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47666"
},
{
"name": "CVE-2025-40278",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40278"
},
{
"name": "CVE-2025-71194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71194"
},
{
"name": "CVE-2025-71157",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71157"
},
{
"name": "CVE-2025-40342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40342"
},
{
"name": "CVE-2026-22999",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22999"
},
{
"name": "CVE-2025-71082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71082"
},
{
"name": "CVE-2025-68765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68765"
},
{
"name": "CVE-2026-23089",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23089"
},
{
"name": "CVE-2025-23143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23143"
},
{
"name": "CVE-2025-71132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71132"
},
{
"name": "CVE-2026-23071",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23071"
},
{
"name": "CVE-2026-23056",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23056"
},
{
"name": "CVE-2025-71077",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71077"
},
{
"name": "CVE-2024-36927",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36927"
},
{
"name": "CVE-2025-40279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40279"
},
{
"name": "CVE-2025-68328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68328"
},
{
"name": "CVE-2025-71140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71140"
},
{
"name": "CVE-2025-22111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22111"
},
{
"name": "CVE-2026-23063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23063"
},
{
"name": "CVE-2026-23073",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23073"
},
{
"name": "CVE-2025-71114",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71114"
},
{
"name": "CVE-2026-23058",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23058"
},
{
"name": "CVE-2025-71067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71067"
},
{
"name": "CVE-2025-68744",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68744"
},
{
"name": "CVE-2025-71182",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71182"
},
{
"name": "CVE-2026-23038",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23038"
},
{
"name": "CVE-2025-40183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40183"
},
{
"name": "CVE-2025-71151",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71151"
},
{
"name": "CVE-2026-22990",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22990"
},
{
"name": "CVE-2025-68353",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68353"
},
{
"name": "CVE-2025-71186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71186"
},
{
"name": "CVE-2025-39998",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39998"
},
{
"name": "CVE-2025-68821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68821"
},
{
"name": "CVE-2026-23026",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23026"
},
{
"name": "CVE-2025-40134",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40134"
},
{
"name": "CVE-2026-23128",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23128"
},
{
"name": "CVE-2023-53041",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53041"
},
{
"name": "CVE-2025-68325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68325"
},
{
"name": "CVE-2025-71190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71190"
},
{
"name": "CVE-2025-39968",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39968"
},
{
"name": "CVE-2025-71089",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71089"
},
{
"name": "CVE-2025-68332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68332"
},
{
"name": "CVE-2025-39986",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39986"
},
{
"name": "CVE-2025-68745",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68745"
},
{
"name": "CVE-2025-71104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71104"
},
{
"name": "CVE-2026-22978",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22978"
},
{
"name": "CVE-2025-40283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40283"
},
{
"name": "CVE-2025-39955",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39955"
},
{
"name": "CVE-2025-40324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40324"
},
{
"name": "CVE-2025-68378",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68378"
},
{
"name": "CVE-2025-71141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71141"
},
{
"name": "CVE-2026-23146",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23146"
},
{
"name": "CVE-2025-38129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38129"
},
{
"name": "CVE-2026-23037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23037"
},
{
"name": "CVE-2026-23410",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23410"
},
{
"name": "CVE-2025-71101",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71101"
},
{
"name": "CVE-2025-40264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40264"
},
{
"name": "CVE-2026-23001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23001"
},
{
"name": "CVE-2025-68367",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68367"
},
{
"name": "CVE-2025-40078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40078"
},
{
"name": "CVE-2025-68820",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68820"
},
{
"name": "CVE-2025-68756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68756"
},
{
"name": "CVE-2025-40321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40321"
},
{
"name": "CVE-2025-40116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40116"
},
{
"name": "CVE-2023-54207",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54207"
},
{
"name": "CVE-2025-68249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68249"
},
{
"name": "CVE-2025-68740",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68740"
},
{
"name": "CVE-2025-39934",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39934"
},
{
"name": "CVE-2025-40179",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40179"
},
{
"name": "CVE-2025-68742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68742"
},
{
"name": "CVE-2025-40127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40127"
},
{
"name": "CVE-2025-40282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40282"
},
{
"name": "CVE-2025-39996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39996"
},
{
"name": "CVE-2025-40053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40053"
},
{
"name": "CVE-2025-39951",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39951"
},
{
"name": "CVE-2025-40120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40120"
},
{
"name": "CVE-2025-68816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68816"
},
{
"name": "CVE-2025-68192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68192"
},
{
"name": "CVE-2025-71070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71070"
},
{
"name": "CVE-2025-68379",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68379"
},
{
"name": "CVE-2025-68256",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68256"
},
{
"name": "CVE-2025-68777",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68777"
},
{
"name": "CVE-2025-68254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68254"
},
{
"name": "CVE-2025-40243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40243"
},
{
"name": "CVE-2025-38556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38556"
},
{
"name": "CVE-2025-40040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40040"
},
{
"name": "CVE-2026-22982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22982"
},
{
"name": "CVE-2025-71109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71109"
},
{
"name": "CVE-2025-71118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71118"
},
{
"name": "CVE-2025-68327",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68327"
},
{
"name": "CVE-2025-71150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71150"
},
{
"name": "CVE-2026-23091",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23091"
},
{
"name": "CVE-2025-68241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68241"
},
{
"name": "CVE-2025-40118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40118"
},
{
"name": "CVE-2025-40021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40021"
},
{
"name": "CVE-2026-23121",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23121"
},
{
"name": "CVE-2025-68734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68734"
},
{
"name": "CVE-2025-68776",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68776"
},
{
"name": "CVE-2025-71066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71066"
},
{
"name": "CVE-2025-68799",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68799"
},
{
"name": "CVE-2025-68345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68345"
},
{
"name": "CVE-2025-40044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40044"
},
{
"name": "CVE-2025-71097",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71097"
},
{
"name": "CVE-2025-40105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40105"
},
{
"name": "CVE-2025-68288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68288"
},
{
"name": "CVE-2025-40112",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40112"
},
{
"name": "CVE-2025-71107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71107"
},
{
"name": "CVE-2025-40083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40083"
},
{
"name": "CVE-2025-71111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71111"
},
{
"name": "CVE-2026-23087",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23087"
},
{
"name": "CVE-2025-68802",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68802"
},
{
"name": "CVE-2025-39971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39971"
},
{
"name": "CVE-2025-71185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71185"
},
{
"name": "CVE-2025-40154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40154"
},
{
"name": "CVE-2025-40331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40331"
},
{
"name": "CVE-2025-68811",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68811"
},
{
"name": "CVE-2022-49635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49635"
},
{
"name": "CVE-2026-23096",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23096"
},
{
"name": "CVE-2025-68337",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68337"
},
{
"name": "CVE-2025-68351",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68351"
},
{
"name": "CVE-2026-23405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23405"
},
{
"name": "CVE-2025-71131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71131"
},
{
"name": "CVE-2025-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40149"
},
{
"name": "CVE-2026-23403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23403"
},
{
"name": "CVE-2025-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40164"
},
{
"name": "CVE-2026-23164",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23164"
},
{
"name": "CVE-2025-71116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71116"
},
{
"name": "CVE-2026-23124",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23124"
},
{
"name": "CVE-2025-68362",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68362"
},
{
"name": "CVE-2025-68290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68290"
},
{
"name": "CVE-2025-40280",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40280"
},
{
"name": "CVE-2025-71162",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71162"
},
{
"name": "CVE-2026-23075",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23075"
},
{
"name": "CVE-2026-23120",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23120"
},
{
"name": "CVE-2025-68803",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68803"
},
{
"name": "CVE-2025-68331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68331"
},
{
"name": "CVE-2025-40126",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40126"
},
{
"name": "CVE-2025-39972",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39972"
},
{
"name": "CVE-2026-23105",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23105"
},
{
"name": "CVE-2025-71115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71115"
},
{
"name": "CVE-2026-22976",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22976"
},
{
"name": "CVE-2025-68753",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68753"
},
{
"name": "CVE-2025-68781",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68781"
},
{
"name": "CVE-2025-68369",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68369"
},
{
"name": "CVE-2025-68775",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68775"
},
{
"name": "CVE-2025-71112",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71112"
},
{
"name": "CVE-2025-22022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22022"
},
{
"name": "CVE-2025-40200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40200"
},
{
"name": "CVE-2025-38236",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38236"
},
{
"name": "CVE-2025-68818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68818"
},
{
"name": "CVE-2025-40124",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40124"
},
{
"name": "CVE-2025-39880",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39880"
},
{
"name": "CVE-2025-40094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40094"
},
{
"name": "CVE-2025-38125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38125"
},
{
"name": "CVE-2024-41014",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41014"
},
{
"name": "CVE-2025-71148",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71148"
},
{
"name": "CVE-2025-68366",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68366"
},
{
"name": "CVE-2024-36347",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36347"
},
{
"name": "CVE-2025-68815",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68815"
},
{
"name": "CVE-2025-40215",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40215"
},
{
"name": "CVE-2026-23095",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23095"
},
{
"name": "CVE-2025-40111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40111"
},
{
"name": "CVE-2025-68346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68346"
},
{
"name": "CVE-2025-71163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71163"
},
{
"name": "CVE-2025-40211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40211"
},
{
"name": "CVE-2025-40068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40068"
},
{
"name": "CVE-2025-40042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40042"
},
{
"name": "CVE-2025-71096",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71096"
},
{
"name": "CVE-2025-71099",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71099"
},
{
"name": "CVE-2025-71095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71095"
},
{
"name": "CVE-2025-71105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71105"
},
{
"name": "CVE-2025-68266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68266"
},
{
"name": "CVE-2025-68771",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68771"
},
{
"name": "CVE-2025-68363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68363"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2026-23411",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23411"
},
{
"name": "CVE-2026-22984",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22984"
},
{
"name": "CVE-2025-68303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68303"
},
{
"name": "CVE-2025-40259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40259"
},
{
"name": "CVE-2025-68757",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68757"
},
{
"name": "CVE-2025-71068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71068"
},
{
"name": "CVE-2026-23033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23033"
},
{
"name": "CVE-2026-23409",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23409"
},
{
"name": "CVE-2025-68784",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68784"
},
{
"name": "CVE-2026-22977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22977"
},
{
"name": "CVE-2026-23145",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23145"
},
{
"name": "CVE-2026-23003",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23003"
},
{
"name": "CVE-2025-39937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39937"
},
{
"name": "CVE-2025-68766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68766"
},
{
"name": "CVE-2026-23076",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23076"
},
{
"name": "CVE-2025-40060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40060"
},
{
"name": "CVE-2025-68792",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68792"
},
{
"name": "CVE-2025-68823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68823"
},
{
"name": "CVE-2025-68168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68168"
},
{
"name": "CVE-2025-71123",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71123"
},
{
"name": "CVE-2025-68206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68206"
},
{
"name": "CVE-2025-71124",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71124"
},
{
"name": "CVE-2025-71100",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71100"
},
{
"name": "CVE-2025-68372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68372"
},
{
"name": "CVE-2026-23404",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23404"
},
{
"name": "CVE-2025-71146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71146"
},
{
"name": "CVE-2025-71137",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71137"
},
{
"name": "CVE-2026-23084",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23084"
},
{
"name": "CVE-2025-68301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68301"
},
{
"name": "CVE-2026-23011",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23011"
},
{
"name": "CVE-2025-68217",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68217"
},
{
"name": "CVE-2025-40178",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40178"
},
{
"name": "CVE-2025-68289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68289"
},
{
"name": "CVE-2025-40363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40363"
},
{
"name": "CVE-2025-39869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39869"
},
{
"name": "CVE-2025-40253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40253"
},
{
"name": "CVE-2025-39985",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39985"
},
{
"name": "CVE-2025-71156",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71156"
},
{
"name": "CVE-2025-68245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68245"
},
{
"name": "CVE-2025-40317",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40317"
},
{
"name": "CVE-2025-68809",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68809"
},
{
"name": "CVE-2025-71120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71120"
},
{
"name": "CVE-2026-23060",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23060"
},
{
"name": "CVE-2025-68282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68282"
},
{
"name": "CVE-2025-68817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68817"
},
{
"name": "CVE-2025-71119",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71119"
},
{
"name": "CVE-2025-68787",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68787"
},
{
"name": "CVE-2025-68782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68782"
},
{
"name": "CVE-2025-71197",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71197"
},
{
"name": "CVE-2025-68177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68177"
},
{
"name": "CVE-2025-68758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68758"
},
{
"name": "CVE-2025-68191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68191"
},
{
"name": "CVE-2025-71113",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71113"
},
{
"name": "CVE-2025-71127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71127"
},
{
"name": "CVE-2026-22998",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22998"
},
{
"name": "CVE-2025-68340",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68340"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2025-40281",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40281"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2025-40304",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40304"
},
{
"name": "CVE-2025-40110",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40110"
},
{
"name": "CVE-2024-56593",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56593"
},
{
"name": "CVE-2026-23111",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23111"
},
{
"name": "CVE-2025-39980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39980"
},
{
"name": "CVE-2025-40325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40325"
},
{
"name": "CVE-2025-68798",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68798"
},
{
"name": "CVE-2025-68336",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68336"
},
{
"name": "CVE-2025-68810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68810"
},
{
"name": "CVE-2025-40346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40346"
},
{
"name": "CVE-2026-23097",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23097"
},
{
"name": "CVE-2025-40262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40262"
},
{
"name": "CVE-2025-68819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68819"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2025-71072",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71072"
},
{
"name": "CVE-2025-40030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40030"
},
{
"name": "CVE-2025-40244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40244"
},
{
"name": "CVE-2025-39995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39995"
},
{
"name": "CVE-2026-23021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23021"
},
{
"name": "CVE-2025-68732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68732"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
},
{
"name": "CVE-2026-23093",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23093"
},
{
"name": "CVE-2025-37849",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37849"
},
{
"name": "CVE-2024-56640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56640"
},
{
"name": "CVE-2025-68371",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68371"
},
{
"name": "CVE-2025-40275",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40275"
},
{
"name": "CVE-2025-39907",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39907"
},
{
"name": "CVE-2025-68211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68211"
},
{
"name": "CVE-2025-71091",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71091"
},
{
"name": "CVE-2025-68227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68227"
},
{
"name": "CVE-2025-40140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40140"
},
{
"name": "CVE-2025-40223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40223"
},
{
"name": "CVE-2025-68263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68263"
},
{
"name": "CVE-2025-68800",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68800"
},
{
"name": "CVE-2024-53114",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53114"
},
{
"name": "CVE-2025-68261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68261"
},
{
"name": "CVE-2025-68755",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68755"
},
{
"name": "CVE-2025-71149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71149"
},
{
"name": "CVE-2025-68767",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68767"
},
{
"name": "CVE-2025-39873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39873"
},
{
"name": "CVE-2025-40319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40319"
},
{
"name": "CVE-2025-68727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68727"
},
{
"name": "CVE-2026-23080",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23080"
},
{
"name": "CVE-2025-38248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38248"
},
{
"name": "CVE-2025-40351",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40351"
},
{
"name": "CVE-2025-68264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68264"
},
{
"name": "CVE-2025-40087",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40087"
},
{
"name": "CVE-2025-68764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68764"
}
],
"initial_release_date": "2026-04-17T00:00:00",
"last_revision_date": "2026-04-17T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0453",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8188-1",
"url": "https://ubuntu.com/security/notices/USN-8188-1"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8180-2",
"url": "https://ubuntu.com/security/notices/USN-8180-2"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8149-3",
"url": "https://ubuntu.com/security/notices/USN-8149-3"
},
{
"published_at": "2026-04-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu LSN-0119-1",
"url": "https://ubuntu.com/security/notices/LSN-0119-1"
},
{
"published_at": "2026-04-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8148-7",
"url": "https://ubuntu.com/security/notices/USN-8148-7"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8187-1",
"url": "https://ubuntu.com/security/notices/USN-8187-1"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8184-1",
"url": "https://ubuntu.com/security/notices/USN-8184-1"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8148-6",
"url": "https://ubuntu.com/security/notices/USN-8148-6"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8185-1",
"url": "https://ubuntu.com/security/notices/USN-8185-1"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8186-1",
"url": "https://ubuntu.com/security/notices/USN-8186-1"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8179-2",
"url": "https://ubuntu.com/security/notices/USN-8179-2"
},
{
"published_at": "2026-04-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8180-1",
"url": "https://ubuntu.com/security/notices/USN-8180-1"
},
{
"published_at": "2026-04-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8179-1",
"url": "https://ubuntu.com/security/notices/USN-8179-1"
},
{
"published_at": "2026-04-16",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8177-1",
"url": "https://ubuntu.com/security/notices/USN-8177-1"
},
{
"published_at": "2026-04-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8163-2",
"url": "https://ubuntu.com/security/notices/USN-8163-2"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8183-1",
"url": "https://ubuntu.com/security/notices/USN-8183-1"
},
{
"published_at": "2026-04-15",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8145-5",
"url": "https://ubuntu.com/security/notices/USN-8145-5"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-8177-2",
"url": "https://ubuntu.com/security/notices/USN-8177-2"
}
]
}
CVE-2024-56538 (GCVE-0-2024-56538)
Vulnerability from cvelistv5
Published
2024-12-27 14:11
Modified
2025-05-04 09:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: zynqmp_kms: Unplug DRM device before removal
Prevent userspace accesses to the DRM device from causing
use-after-frees by unplugging the device before we remove it. This
causes any further userspace accesses to result in an error without
further calls into this driver's internals.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:42:57.597278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:25.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xlnx/zynqmp_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a17b9afe58c474657449cf87e238b1788200576b",
"status": "affected",
"version": "d76271d22694e874ed70791702db9252ffe96a4c",
"versionType": "git"
},
{
"lessThan": "4fb97432e28a7e136b2d76135d50e988ada8e1af",
"status": "affected",
"version": "d76271d22694e874ed70791702db9252ffe96a4c",
"versionType": "git"
},
{
"lessThan": "692f52aedccbf79b212a1e14e3735192b4c24a7d",
"status": "affected",
"version": "d76271d22694e874ed70791702db9252ffe96a4c",
"versionType": "git"
},
{
"lessThan": "2e07c88914fc5289c21820b1aa94f058feb38197",
"status": "affected",
"version": "d76271d22694e874ed70791702db9252ffe96a4c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xlnx/zynqmp_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: zynqmp_kms: Unplug DRM device before removal\n\nPrevent userspace accesses to the DRM device from causing\nuse-after-frees by unplugging the device before we remove it. This\ncauses any further userspace accesses to result in an error without\nfurther calls into this driver\u0027s internals."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:57:41.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a17b9afe58c474657449cf87e238b1788200576b"
},
{
"url": "https://git.kernel.org/stable/c/4fb97432e28a7e136b2d76135d50e988ada8e1af"
},
{
"url": "https://git.kernel.org/stable/c/692f52aedccbf79b212a1e14e3735192b4c24a7d"
},
{
"url": "https://git.kernel.org/stable/c/2e07c88914fc5289c21820b1aa94f058feb38197"
}
],
"title": "drm: zynqmp_kms: Unplug DRM device before removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56538",
"datePublished": "2024-12-27T14:11:20.685Z",
"dateReserved": "2024-12-27T14:03:05.986Z",
"dateUpdated": "2025-05-04T09:57:41.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68330 (GCVE-0-2025-68330)
Vulnerability from cvelistv5
Published
2025-12-22 16:12
Modified
2026-01-02 15:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: accel: bmc150: Fix irq assumption regression
The code in bmc150-accel-core.c unconditionally calls
bmc150_accel_set_interrupt() in the iio_buffer_setup_ops,
such as on the runtime PM resume path giving a kernel
splat like this if the device has no interrupts:
Unable to handle kernel NULL pointer dereference at virtual
address 00000001 when read
PC is at bmc150_accel_set_interrupt+0x98/0x194
LR is at __pm_runtime_resume+0x5c/0x64
(...)
Call trace:
bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108
bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc
__iio_update_buffers from enable_store+0x84/0xc8
enable_store from kernfs_fop_write_iter+0x154/0x1b4
This bug seems to have been in the driver since the beginning,
but it only manifests recently, I do not know why.
Store the IRQ number in the state struct, as this is a common
pattern in other drivers, then use this to determine if we have
IRQ support or not.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c16bff4844ffa678ba0c9d077e9797506924ccdd Version: c16bff4844ffa678ba0c9d077e9797506924ccdd Version: c16bff4844ffa678ba0c9d077e9797506924ccdd Version: c16bff4844ffa678ba0c9d077e9797506924ccdd Version: c16bff4844ffa678ba0c9d077e9797506924ccdd Version: c16bff4844ffa678ba0c9d077e9797506924ccdd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/bmc150-accel-core.c",
"drivers/iio/accel/bmc150-accel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aad9d048a3211c48ec02efa405bf462856feb862",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "c891f504bb66604c822e7985e093cf39b97fdeb0",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "cdd4a9e98004bd7c7488311951fa6dbae38b2b80",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "65ad4ed983fd9ee0259d86391d6a53f78203918c",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "3aa385a9c75c09b59dcab2ff76423439d23673ab",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/bmc150-accel-core.c",
"drivers/iio/accel/bmc150-accel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: bmc150: Fix irq assumption regression\n\nThe code in bmc150-accel-core.c unconditionally calls\nbmc150_accel_set_interrupt() in the iio_buffer_setup_ops,\nsuch as on the runtime PM resume path giving a kernel\nsplat like this if the device has no interrupts:\n\nUnable to handle kernel NULL pointer dereference at virtual\n address 00000001 when read\n\nPC is at bmc150_accel_set_interrupt+0x98/0x194\nLR is at __pm_runtime_resume+0x5c/0x64\n(...)\nCall trace:\nbmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108\nbmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc\n__iio_update_buffers from enable_store+0x84/0xc8\nenable_store from kernfs_fop_write_iter+0x154/0x1b4\n\nThis bug seems to have been in the driver since the beginning,\nbut it only manifests recently, I do not know why.\n\nStore the IRQ number in the state struct, as this is a common\npattern in other drivers, then use this to determine if we have\nIRQ support or not."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:35:09.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aad9d048a3211c48ec02efa405bf462856feb862"
},
{
"url": "https://git.kernel.org/stable/c/c891f504bb66604c822e7985e093cf39b97fdeb0"
},
{
"url": "https://git.kernel.org/stable/c/cdd4a9e98004bd7c7488311951fa6dbae38b2b80"
},
{
"url": "https://git.kernel.org/stable/c/65ad4ed983fd9ee0259d86391d6a53f78203918c"
},
{
"url": "https://git.kernel.org/stable/c/93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3"
},
{
"url": "https://git.kernel.org/stable/c/3aa385a9c75c09b59dcab2ff76423439d23673ab"
}
],
"title": "iio: accel: bmc150: Fix irq assumption regression",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68330",
"datePublished": "2025-12-22T16:12:23.864Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-01-02T15:35:09.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39934 (GCVE-0-2025-39934)
Vulnerability from cvelistv5
Published
2025-10-04 07:30
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ
If the interrupt occurs before resource initialization is complete, the
interrupt handler/worker may access uninitialized data such as the I2C
tcpc_client device, potentially leading to NULL pointer dereference.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 Version: 8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51a501e990a353a4f15da6bab295b28e5d118f64",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "f9a089d0a6d537d0f2061c8a37a7de535ce0310e",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "15a77e1ab0a994d69b471c76b8d01117128dda26",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "0da73f7827691a5e2265b110d5fe12f29535ec92",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "1a7ea294d57fb61485d11b3f2241d631d73025cb",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "a10f910c77f280327b481e77eab909934ec508f0",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: anx7625: Fix NULL pointer dereference with early IRQ\n\nIf the interrupt occurs before resource initialization is complete, the\ninterrupt handler/worker may access uninitialized data such as the I2C\ntcpc_client device, potentially leading to NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:00.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51a501e990a353a4f15da6bab295b28e5d118f64"
},
{
"url": "https://git.kernel.org/stable/c/f9a089d0a6d537d0f2061c8a37a7de535ce0310e"
},
{
"url": "https://git.kernel.org/stable/c/15a77e1ab0a994d69b471c76b8d01117128dda26"
},
{
"url": "https://git.kernel.org/stable/c/0da73f7827691a5e2265b110d5fe12f29535ec92"
},
{
"url": "https://git.kernel.org/stable/c/1a7ea294d57fb61485d11b3f2241d631d73025cb"
},
{
"url": "https://git.kernel.org/stable/c/a10f910c77f280327b481e77eab909934ec508f0"
}
],
"title": "drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39934",
"datePublished": "2025-10-04T07:30:58.284Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:00.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40309 (GCVE-0-2025-40309)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix UAF on sco_conn_free
BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]
BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410
net/bluetooth/sco.c:107
Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352
CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted
6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci13 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x191/0x550 mm/kasan/report.c:482
kasan_report+0xc4/0x100 mm/kasan/report.c:595
sco_conn_free net/bluetooth/sco.c:87 [inline]
kref_put include/linux/kref.h:65 [inline]
sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107
sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441
hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]
hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313
hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121
hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147
hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689
hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319
worker_thread+0xbee/0x1200 kernel/workqueue.c:3400
kthread+0x3c7/0x870 kernel/kthread.c:463
ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 31370:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4382 [inline]
__kmalloc_noprof+0x22f/0x390 mm/slub.c:4394
kmalloc_noprof include/linux/slab.h:909 [inline]
sk_prot_alloc+0xae/0x220 net/core/sock.c:2239
sk_alloc+0x34/0x5a0 net/core/sock.c:2295
bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151
sco_sock_alloc net/bluetooth/sco.c:562 [inline]
sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593
bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135
__sock_create+0x3ad/0x780 net/socket.c:1589
sock_create net/socket.c:1647 [inline]
__sys_socket_create net/socket.c:1684 [inline]
__sys_socket+0xd5/0x330 net/socket.c:1731
__do_sys_socket net/socket.c:1745 [inline]
__se_sys_socket net/socket.c:1743 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1743
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 31374:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2428 [inline]
slab_free mm/slub.c:4701 [inline]
kfree+0x199/0x3b0 mm/slub.c:4900
sk_prot_free net/core/sock.c:2278 [inline]
__sk_destruct+0x4aa/0x630 net/core/sock.c:2373
sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333
__sock_release net/socket.c:649 [inline]
sock_close+0xb8/0x230 net/socket.c:1439
__fput+0x3d1/0x9e0 fs/file_table.c:468
task_work_run+0x206/0x2a0 kernel/task_work.c:227
get_signal+0x1201/0x1410 kernel/signal.c:2807
arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
s
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "391f83547b7b2c63e4b572ab838e10a06cfa4425",
"status": "affected",
"version": "e6720779ae612a14ac4ba7fe4fd5b27d900d932c",
"versionType": "git"
},
{
"lessThan": "ecb9a843be4d6fd710d7026e359f21015a062572",
"status": "affected",
"version": "e6720779ae612a14ac4ba7fe4fd5b27d900d932c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:30.865Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425"
},
{
"url": "https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572"
}
],
"title": "Bluetooth: SCO: Fix UAF on sco_conn_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40309",
"datePublished": "2025-12-08T00:46:34.785Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:30.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68818 (GCVE-0-2025-68818)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock. But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x4d/0x8b
? page_fault_oops+0x91/0x180
? trace_buffer_unlock_commit_regs+0x38/0x1a0
? exc_page_fault+0x391/0x5e0
? asm_exc_page_fault+0x22/0x30
__qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
kthread+0xa8/0xd0
</TASK>
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash. But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 231cfa78ec5badd84a1a2b09465bfad1a926aba1 Version: d6f7377528d2abf338e504126e44439541be8f7d Version: cd0a1804ac5bab2545ac700c8d0fe9ae9284c567 Version: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 Version: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 Version: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 Version: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 Version: 9189f20b4c5307c0998682bb522e481b4567a8b8 Version: 415d614344a4f1bbddf55d724fc7eb9ef4b39aad |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b04b3733fff7e94566386b962e4795550fbdfd3d",
"status": "affected",
"version": "231cfa78ec5badd84a1a2b09465bfad1a926aba1",
"versionType": "git"
},
{
"lessThan": "50b097d92c99f718831b8b349722bc79f718ba1b",
"status": "affected",
"version": "d6f7377528d2abf338e504126e44439541be8f7d",
"versionType": "git"
},
{
"lessThan": "c5c37a821bd1708f26a9522b4a6f47b9f7a20003",
"status": "affected",
"version": "cd0a1804ac5bab2545ac700c8d0fe9ae9284c567",
"versionType": "git"
},
{
"lessThan": "e9e601b7df58ba0c667baf30263331df2c02ffe1",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "b10ebbfd59a535c8d22f4ede6e8389622ce98dc0",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "1c728951bc769b795d377852eae1abddad88635d",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "b57fbc88715b6d18f379463f48a15b560b087ffe",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"status": "affected",
"version": "9189f20b4c5307c0998682bb522e481b4567a8b8",
"versionType": "git"
},
{
"status": "affected",
"version": "415d614344a4f1bbddf55d724fc7eb9ef4b39aad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"\n\nThis reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.\n\nThe commit being reverted added code to __qla2x00_abort_all_cmds() to\ncall sp-\u003edone() without holding a spinlock. But unlike the older code\nbelow it, this new code failed to check sp-\u003ecmd_type and just assumed\nTYPE_SRB, which results in a jump to an invalid pointer in target-mode\nwith TYPE_TGT_CMD:\n\nqla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success\n 0000000009f7a79b\nqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h\n mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.\nqla2xxx [0000:65:00.0]-d01e:8: -\u003e fwdump no buffer\nqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event\n 0x8002 occurred\nqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -\n ha=0000000058183fda.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor instruction fetch in kernel mode\nPF: error_code(0x0010) - not-present page\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1\nHardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206\nRAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000\nRDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0\nRBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045\nR10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40\nR13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400\nFS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x4d/0x8b\n ? page_fault_oops+0x91/0x180\n ? trace_buffer_unlock_commit_regs+0x38/0x1a0\n ? exc_page_fault+0x391/0x5e0\n ? asm_exc_page_fault+0x22/0x30\n __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]\n qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]\n qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]\n qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]\n qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]\n kthread+0xa8/0xd0\n \u003c/TASK\u003e\n\nThen commit 4475afa2646d (\"scsi: qla2xxx: Complete command early within\nlock\") added the spinlock back, because not having the lock caused a\nrace and a crash. But qla2x00_abort_srb() in the switch below already\nchecks for qla2x00_chip_is_down() and handles it the same way, so the\ncode above the switch is now redundant and still buggy in target-mode.\nRemove it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:08.239Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d"
},
{
"url": "https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b"
},
{
"url": "https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003"
},
{
"url": "https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1"
},
{
"url": "https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0"
},
{
"url": "https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d"
},
{
"url": "https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe"
}
],
"title": "scsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68818",
"datePublished": "2026-01-13T15:29:22.018Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:08.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23026 (GCVE-0-2026-23026)
Vulnerability from cvelistv5
Published
2026-01-31 11:42
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Fix a memory leak in gpi_peripheral_config() where the original memory
pointed to by gchan->config could be lost if krealloc() fails.
The issue occurs when:
1. gchan->config points to previously allocated memory
2. krealloc() fails and returns NULL
3. The function directly assigns NULL to gchan->config, losing the
reference to the original memory
4. The original memory becomes unreachable and cannot be freed
Fix this by using a temporary variable to hold the krealloc() result
and only updating gchan->config when the allocation succeeds.
Found via static analysis and code review.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 Version: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 Version: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 Version: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 Version: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 Version: 5d0c3533a19f48e5e7e73806a3e4b29cd4364130 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/gpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4532f18e4ab36def1f55cd936d0fc002b2ce34c2",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "694ab1f6f16cb69f7c5ef2452b22ba7b00a3c7c7",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "6bf4ef078fd11910988889a6c0b3698d2e0c89af",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "01b1d781394fc9b83015e3a3cd46b17bda842bd8",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
},
{
"lessThan": "3f747004bbd641131d9396d87b5d2d3d1e182728",
"status": "affected",
"version": "5d0c3533a19f48e5e7e73806a3e4b29cd4364130",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/gpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()\n\nFix a memory leak in gpi_peripheral_config() where the original memory\npointed to by gchan-\u003econfig could be lost if krealloc() fails.\n\nThe issue occurs when:\n1. gchan-\u003econfig points to previously allocated memory\n2. krealloc() fails and returns NULL\n3. The function directly assigns NULL to gchan-\u003econfig, losing the\n reference to the original memory\n4. The original memory becomes unreachable and cannot be freed\n\nFix this by using a temporary variable to hold the krealloc() result\nand only updating gchan-\u003econfig when the allocation succeeds.\n\nFound via static analysis and code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:20.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4532f18e4ab36def1f55cd936d0fc002b2ce34c2"
},
{
"url": "https://git.kernel.org/stable/c/694ab1f6f16cb69f7c5ef2452b22ba7b00a3c7c7"
},
{
"url": "https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af"
},
{
"url": "https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8"
},
{
"url": "https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85"
},
{
"url": "https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728"
}
],
"title": "dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23026",
"datePublished": "2026-01-31T11:42:05.185Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-02-09T08:37:20.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40078 (GCVE-0-2025-40078)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Explicitly check accesses to bpf_sock_addr
Syzkaller found a kernel warning on the following sock_addr program:
0: r0 = 0
1: r2 = *(u32 *)(r1 +60)
2: exit
which triggers:
verifier bug: error during ctx access conversion (0)
This is happening because offset 60 in bpf_sock_addr corresponds to an
implicit padding of 4 bytes, right after msg_src_ip4. Access to this
padding isn't rejected in sock_addr_is_valid_access and it thus later
fails to convert the access.
This patch fixes it by explicitly checking the various fields of
bpf_sock_addr in sock_addr_is_valid_access.
I checked the other ctx structures and is_valid_access functions and
didn't find any other similar cases. Other cases of (properly handled)
padding are covered in new tests in a subsequent patch.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 Version: 1cedee13d25ab118d325f95588c1a084e9317229 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de44cdc50d2dce8718cb57deddf9cf1be9a7759f",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "76e04bbb4296fb6eac084dbfc27e02ccc744db3e",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "4f00858cd9bbbdf67159e28b85a8ca9e77c83622",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "cdeafacb4f9ff261a96baef519e29480fd7b1019",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "fe9d33f0470350558cb08cecb54cf2267b3a45d2",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "ad8b4fe5617e3c85fc23267f02500c4f3bf0ff69",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
},
{
"lessThan": "6fabca2fc94d33cdf7ec102058983b086293395f",
"status": "affected",
"version": "1cedee13d25ab118d325f95588c1a084e9317229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Explicitly check accesses to bpf_sock_addr\n\nSyzkaller found a kernel warning on the following sock_addr program:\n\n 0: r0 = 0\n 1: r2 = *(u32 *)(r1 +60)\n 2: exit\n\nwhich triggers:\n\n verifier bug: error during ctx access conversion (0)\n\nThis is happening because offset 60 in bpf_sock_addr corresponds to an\nimplicit padding of 4 bytes, right after msg_src_ip4. Access to this\npadding isn\u0027t rejected in sock_addr_is_valid_access and it thus later\nfails to convert the access.\n\nThis patch fixes it by explicitly checking the various fields of\nbpf_sock_addr in sock_addr_is_valid_access.\n\nI checked the other ctx structures and is_valid_access functions and\ndidn\u0027t find any other similar cases. Other cases of (properly handled)\npadding are covered in new tests in a subsequent patch."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:35.028Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de44cdc50d2dce8718cb57deddf9cf1be9a7759f"
},
{
"url": "https://git.kernel.org/stable/c/76e04bbb4296fb6eac084dbfc27e02ccc744db3e"
},
{
"url": "https://git.kernel.org/stable/c/6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec"
},
{
"url": "https://git.kernel.org/stable/c/4f00858cd9bbbdf67159e28b85a8ca9e77c83622"
},
{
"url": "https://git.kernel.org/stable/c/cdeafacb4f9ff261a96baef519e29480fd7b1019"
},
{
"url": "https://git.kernel.org/stable/c/fe9d33f0470350558cb08cecb54cf2267b3a45d2"
},
{
"url": "https://git.kernel.org/stable/c/ad8b4fe5617e3c85fc23267f02500c4f3bf0ff69"
},
{
"url": "https://git.kernel.org/stable/c/6fabca2fc94d33cdf7ec102058983b086293395f"
}
],
"title": "bpf: Explicitly check accesses to bpf_sock_addr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40078",
"datePublished": "2025-10-28T11:48:43.548Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-01T06:17:35.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40278 (GCVE-0-2025-40278)
Vulnerability from cvelistv5
Published
2025-12-06 21:51
Modified
2025-12-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
Fix a KMSAN kernel-infoleak detected by the syzbot .
[net?] KMSAN: kernel-infoleak in __skb_datagram_iter
In tcf_ife_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.
Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.
This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.
This fix has been tested and validated by syzbot. This patch closes the
bug reported at the following syzkaller link and ensures no infoleak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ef6980b6becb1afd9d82a4f043749a10ae81bf14 Version: ef6980b6becb1afd9d82a4f043749a10ae81bf14 Version: ef6980b6becb1afd9d82a4f043749a10ae81bf14 Version: ef6980b6becb1afd9d82a4f043749a10ae81bf14 Version: ef6980b6becb1afd9d82a4f043749a10ae81bf14 Version: ef6980b6becb1afd9d82a4f043749a10ae81bf14 Version: ef6980b6becb1afd9d82a4f043749a10ae81bf14 Version: ef6980b6becb1afd9d82a4f043749a10ae81bf14 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "918e063304f945fb93be9bb70cacea07d0b730ea",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "5e3644ef147bf7140259dfa4cace680c9b26fe8b",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "37f0680887c5aeba9a433fe04b35169010568bb1",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "2191662058443e0bcc28d11694293d8339af6dde",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "a676a296af65d33725bdf7396803180957dbd92e",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "d1dbbbe839647486c9b893e5011fe84a052962df",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "ce50039be49eea9b4cd8873ca6eccded1b4a130a",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak\n\nFix a KMSAN kernel-infoleak detected by the syzbot .\n\n[net?] KMSAN: kernel-infoleak in __skb_datagram_iter\n\nIn tcf_ife_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied.\n\nThis change silences the KMSAN report and prevents potential information\nleaks from the kernel memory.\n\nThis fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures no infoleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:01.693Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/918e063304f945fb93be9bb70cacea07d0b730ea"
},
{
"url": "https://git.kernel.org/stable/c/5e3644ef147bf7140259dfa4cace680c9b26fe8b"
},
{
"url": "https://git.kernel.org/stable/c/37f0680887c5aeba9a433fe04b35169010568bb1"
},
{
"url": "https://git.kernel.org/stable/c/2191662058443e0bcc28d11694293d8339af6dde"
},
{
"url": "https://git.kernel.org/stable/c/a676a296af65d33725bdf7396803180957dbd92e"
},
{
"url": "https://git.kernel.org/stable/c/d1dbbbe839647486c9b893e5011fe84a052962df"
},
{
"url": "https://git.kernel.org/stable/c/c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e"
},
{
"url": "https://git.kernel.org/stable/c/ce50039be49eea9b4cd8873ca6eccded1b4a130a"
}
],
"title": "net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40278",
"datePublished": "2025-12-06T21:51:01.693Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:01.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68349 (GCVE-0-2025-68349)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Fixes a crash when layout is null during this call stack:
write_inode
-> nfs4_write_inode
-> pnfs_layoutcommit_inode
pnfs_set_layoutcommit relies on the lseg refcount to keep the layout
around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt
to reference a null layout.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a Version: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a Version: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a Version: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a Version: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a Version: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a Version: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a Version: fe1cf9469d7bcb6af27e42eb555a41b0135bce4a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/pnfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "084bebe82ad86f718a3af84f34761863e63164ed",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "b6e4e3a08c03200cc4b8067ec8ab3172a989d6fc",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "104080582ae0aa6dce6c6d75ff89062efe84673b",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "f718f9ea6094843b8c059b073af49ad61e9f49bb",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "59947dff0fb7c19c09ce6dccbcd253fd542b6c25",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "ca2e7fdad7c683b64821c94a58b9b68733214dad",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "38694f9aae00459ab443a7dc8b3949a6b33b560a",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
},
{
"lessThan": "e0f8058f2cb56de0b7572f51cd563ca5debce746",
"status": "affected",
"version": "fe1cf9469d7bcb6af27e42eb555a41b0135bce4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/pnfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid\n\nFixes a crash when layout is null during this call stack:\n\nwrite_inode\n -\u003e nfs4_write_inode\n -\u003e pnfs_layoutcommit_inode\n\npnfs_set_layoutcommit relies on the lseg refcount to keep the layout\naround. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt\nto reference a null layout."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:43.772Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/084bebe82ad86f718a3af84f34761863e63164ed"
},
{
"url": "https://git.kernel.org/stable/c/b6e4e3a08c03200cc4b8067ec8ab3172a989d6fc"
},
{
"url": "https://git.kernel.org/stable/c/104080582ae0aa6dce6c6d75ff89062efe84673b"
},
{
"url": "https://git.kernel.org/stable/c/f718f9ea6094843b8c059b073af49ad61e9f49bb"
},
{
"url": "https://git.kernel.org/stable/c/59947dff0fb7c19c09ce6dccbcd253fd542b6c25"
},
{
"url": "https://git.kernel.org/stable/c/ca2e7fdad7c683b64821c94a58b9b68733214dad"
},
{
"url": "https://git.kernel.org/stable/c/38694f9aae00459ab443a7dc8b3949a6b33b560a"
},
{
"url": "https://git.kernel.org/stable/c/e0f8058f2cb56de0b7572f51cd563ca5debce746"
}
],
"title": "NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68349",
"datePublished": "2025-12-24T10:32:41.253Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-02-09T08:31:43.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40277 (GCVE-0-2025-40277)
Vulnerability from cvelistv5
Published
2025-12-06 21:51
Modified
2025-12-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
This data originates from userspace and is used in buffer offset
calculations which could potentially overflow causing an out-of-bounds
access.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f Version: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f Version: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f Version: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f Version: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f Version: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f Version: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f Version: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e58559845021c3bad5e094219378b869157fad53",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "54d458b244893e47bda52ec3943fdfbc8d7d068b",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "a3abb54c27b2c393c44362399777ad2f6e1ff17e",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "b5df9e06eed3df6a4f5c6f8453013b0cabb927b4",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE\n\nThis data originates from userspace and is used in buffer offset\ncalculations which could potentially overflow causing an out-of-bounds\naccess."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:00.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53"
},
{
"url": "https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b"
},
{
"url": "https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173"
},
{
"url": "https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e"
},
{
"url": "https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4"
},
{
"url": "https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc"
},
{
"url": "https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0"
},
{
"url": "https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af"
}
],
"title": "drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40277",
"datePublished": "2025-12-06T21:51:00.437Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:00.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40106 (GCVE-0-2025-40106)
Vulnerability from cvelistv5
Published
2025-10-31 09:41
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: fix divide-by-zero in comedi_buf_munge()
The comedi_buf_munge() function performs a modulo operation
`async->munge_chan %= async->cmd.chanlist_len` without first
checking if chanlist_len is zero. If a user program submits a command with
chanlist_len set to zero, this causes a divide-by-zero error when the device
processes data in the interrupt handler path.
Add a check for zero chanlist_len at the beginning of the
function, similar to the existing checks for !map and
CMDF_RAWDATA flag. When chanlist_len is zero, update
munge_count and return early, indicating the data was
handled without munging.
This prevents potential kernel panics from malformed user commands.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_buf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ffea48c69cb2b96a281cb7e5e42d706996631db",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "8f3e4cd9be4b47246ea73ce5e3e0fa2f57f0d10c",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "2670932f2465793fea1ef073e40883e8390fa4d9",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "6db19822512396be1a3e1e20c16c97270285ba1a",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "d4854eff25efb06d0d84c13e7129bbdba4125f8c",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "a4bb5d1bc2f238461bcbe5303eb500466690bb2c",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "55520f65fd447e04099a2c44185453c18ea73b7e",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
},
{
"lessThan": "87b318ba81dda2ee7b603f4f6c55e78ec3e95974",
"status": "affected",
"version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_buf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix divide-by-zero in comedi_buf_munge()\n\nThe comedi_buf_munge() function performs a modulo operation\n`async-\u003emunge_chan %= async-\u003ecmd.chanlist_len` without first\nchecking if chanlist_len is zero. If a user program submits a command with\nchanlist_len set to zero, this causes a divide-by-zero error when the device\nprocesses data in the interrupt handler path.\n\nAdd a check for zero chanlist_len at the beginning of the\nfunction, similar to the existing checks for !map and\nCMDF_RAWDATA flag. When chanlist_len is zero, update\nmunge_count and return early, indicating the data was\nhandled without munging.\n\nThis prevents potential kernel panics from malformed user commands."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:02.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ffea48c69cb2b96a281cb7e5e42d706996631db"
},
{
"url": "https://git.kernel.org/stable/c/8f3e4cd9be4b47246ea73ce5e3e0fa2f57f0d10c"
},
{
"url": "https://git.kernel.org/stable/c/2670932f2465793fea1ef073e40883e8390fa4d9"
},
{
"url": "https://git.kernel.org/stable/c/6db19822512396be1a3e1e20c16c97270285ba1a"
},
{
"url": "https://git.kernel.org/stable/c/d4854eff25efb06d0d84c13e7129bbdba4125f8c"
},
{
"url": "https://git.kernel.org/stable/c/a4bb5d1bc2f238461bcbe5303eb500466690bb2c"
},
{
"url": "https://git.kernel.org/stable/c/55520f65fd447e04099a2c44185453c18ea73b7e"
},
{
"url": "https://git.kernel.org/stable/c/87b318ba81dda2ee7b603f4f6c55e78ec3e95974"
}
],
"title": "comedi: fix divide-by-zero in comedi_buf_munge()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40106",
"datePublished": "2025-10-31T09:41:46.740Z",
"dateReserved": "2025-04-16T07:20:57.166Z",
"dateUpdated": "2026-01-02T15:33:02.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22992 (GCVE-0-2026-22992)
Vulnerability from cvelistv5
Published
2026-01-23 15:24
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: return the handler error from mon_handle_auth_done()
Currently any error from ceph_auth_handle_reply_done() is propagated
via finish_auth() but isn't returned from mon_handle_auth_done(). This
results in higher layers learning that (despite the monitor considering
us to be successfully authenticated) something went wrong in the
authentication phase and reacting accordingly, but msgr2 still trying
to proceed with establishing the session in the background. In the
case of secure mode this can trigger a WARN in setup_crypto() and later
lead to a NULL pointer dereference inside of prepare_auth_signature().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/mon_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77229551f2cf72f3e35636db68e6a825b912cf16",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "33908769248b38a5e77cf9292817bb28e641992d",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "e097cd858196b1914309e7e3d79b4fa79383754d",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "d2c4a5f6996683f287f3851ef5412797042de7f1",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "9e0101e57534ef0e7578dd09608a6106736b82e5",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "e84b48d31b5008932c0a0902982809fbaa1d3b70",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/mon_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: return the handler error from mon_handle_auth_done()\n\nCurrently any error from ceph_auth_handle_reply_done() is propagated\nvia finish_auth() but isn\u0027t returned from mon_handle_auth_done(). This\nresults in higher layers learning that (despite the monitor considering\nus to be successfully authenticated) something went wrong in the\nauthentication phase and reacting accordingly, but msgr2 still trying\nto proceed with establishing the session in the background. In the\ncase of secure mode this can trigger a WARN in setup_crypto() and later\nlead to a NULL pointer dereference inside of prepare_auth_signature()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:43.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16"
},
{
"url": "https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d"
},
{
"url": "https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d"
},
{
"url": "https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1"
},
{
"url": "https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5"
},
{
"url": "https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70"
}
],
"title": "libceph: return the handler error from mon_handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22992",
"datePublished": "2026-01-23T15:24:12.993Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:43.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71126 (GCVE-0-2025-71126)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: avoid deadlock on fallback while reinjecting
Jakub reported an MPTCP deadlock at fallback time:
WARNING: possible recursive locking detected
6.18.0-rc7-virtme #1 Not tainted
--------------------------------------------
mptcp_connect/20858 is trying to acquire lock:
ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280
but task is already holding lock:
ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&msk->fallback_lock);
lock(&msk->fallback_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by mptcp_connect/20858:
#0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0
#1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0
#2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0
stack backtrace:
CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full)
Hardware name: Bochs, BIOS Bochs 01/01/2011
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_deadlock_bug.cold+0xc0/0xcd
validate_chain+0x2ff/0x5f0
__lock_acquire+0x34c/0x740
lock_acquire.part.0+0xbc/0x260
_raw_spin_lock_bh+0x38/0x50
__mptcp_try_fallback+0xd8/0x280
mptcp_sendmsg_frag+0x16c2/0x3050
__mptcp_retrans+0x421/0xaa0
mptcp_release_cb+0x5aa/0xa70
release_sock+0xab/0x1d0
mptcp_sendmsg+0xd5b/0x1bc0
sock_write_iter+0x281/0x4d0
new_sync_write+0x3c5/0x6f0
vfs_write+0x65e/0xbb0
ksys_write+0x17e/0x200
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fa5627cbc5e
Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e
RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005
RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920
R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c
The packet scheduler could attempt a reinjection after receiving an
MP_FAIL and before the infinite map has been transmitted, causing a
deadlock since MPTCP needs to do the reinjection atomically from WRT
fallback.
Address the issue explicitly avoiding the reinjection in the critical
scenario. Note that this is the only fallback critical section that
could potentially send packets and hit the double-lock.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5586518bec27666c747cd52aabb62d485686d0bf Version: 75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2 Version: 54999dea879fecb761225e28f274b40662918c30 Version: f8a1d9b18c5efc76784f5a326e905f641f839894 Version: f8a1d9b18c5efc76784f5a326e905f641f839894 Version: 1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0107442e82c0f8d6010e07e6030741c59c520d6e",
"status": "affected",
"version": "5586518bec27666c747cd52aabb62d485686d0bf",
"versionType": "git"
},
{
"lessThan": "252892d5a6a2f163ce18f32716e46fa4da7d4e79",
"status": "affected",
"version": "75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2",
"versionType": "git"
},
{
"lessThan": "0ca9fb4335e726dab4f23b3bfe87271d8f005f41",
"status": "affected",
"version": "54999dea879fecb761225e28f274b40662918c30",
"versionType": "git"
},
{
"lessThan": "50f47c02be419bf0a3ae94c118addf67beef359f",
"status": "affected",
"version": "f8a1d9b18c5efc76784f5a326e905f641f839894",
"versionType": "git"
},
{
"lessThan": "ffb8c27b0539dd90262d1021488e7817fae57c42",
"status": "affected",
"version": "f8a1d9b18c5efc76784f5a326e905f641f839894",
"versionType": "git"
},
{
"status": "affected",
"version": "1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: avoid deadlock on fallback while reinjecting\n\nJakub reported an MPTCP deadlock at fallback time:\n\n WARNING: possible recursive locking detected\n 6.18.0-rc7-virtme #1 Not tainted\n --------------------------------------------\n mptcp_connect/20858 is trying to acquire lock:\n ff1100001da18b60 (\u0026msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280\n\n but task is already holding lock:\n ff1100001da18b60 (\u0026msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(\u0026msk-\u003efallback_lock);\n lock(\u0026msk-\u003efallback_lock);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n 3 locks held by mptcp_connect/20858:\n #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0\n #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0\n #2: ff1100001da18b60 (\u0026msk-\u003efallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0\n\n stack backtrace:\n CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full)\n Hardware name: Bochs, BIOS Bochs 01/01/2011\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xa0\n print_deadlock_bug.cold+0xc0/0xcd\n validate_chain+0x2ff/0x5f0\n __lock_acquire+0x34c/0x740\n lock_acquire.part.0+0xbc/0x260\n _raw_spin_lock_bh+0x38/0x50\n __mptcp_try_fallback+0xd8/0x280\n mptcp_sendmsg_frag+0x16c2/0x3050\n __mptcp_retrans+0x421/0xaa0\n mptcp_release_cb+0x5aa/0xa70\n release_sock+0xab/0x1d0\n mptcp_sendmsg+0xd5b/0x1bc0\n sock_write_iter+0x281/0x4d0\n new_sync_write+0x3c5/0x6f0\n vfs_write+0x65e/0xbb0\n ksys_write+0x17e/0x200\n do_syscall_64+0xbb/0xfd0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7fa5627cbc5e\n Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 \u003cc9\u003e c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa\n RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e\n RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005\n RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920\n R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c\n\nThe packet scheduler could attempt a reinjection after receiving an\nMP_FAIL and before the infinite map has been transmitted, causing a\ndeadlock since MPTCP needs to do the reinjection atomically from WRT\nfallback.\n\nAddress the issue explicitly avoiding the reinjection in the critical\nscenario. Note that this is the only fallback critical section that\ncould potentially send packets and hit the double-lock."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:21.899Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0107442e82c0f8d6010e07e6030741c59c520d6e"
},
{
"url": "https://git.kernel.org/stable/c/252892d5a6a2f163ce18f32716e46fa4da7d4e79"
},
{
"url": "https://git.kernel.org/stable/c/0ca9fb4335e726dab4f23b3bfe87271d8f005f41"
},
{
"url": "https://git.kernel.org/stable/c/50f47c02be419bf0a3ae94c118addf67beef359f"
},
{
"url": "https://git.kernel.org/stable/c/ffb8c27b0539dd90262d1021488e7817fae57c42"
}
],
"title": "mptcp: avoid deadlock on fallback while reinjecting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71126",
"datePublished": "2026-01-14T15:06:11.417Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:21.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40325 (GCVE-0-2025-40325)
Vulnerability from cvelistv5
Published
2025-04-18 07:01
Modified
2026-01-08 09:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: wait barrier before returning discard request with REQ_NOWAIT
raid10_handle_discard should wait barrier before returning a discard bio
which has REQ_NOWAIT. And there is no need to print warning calltrace
if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks
dmesg and reports error if dmesg has warning/error calltrace.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31ff67982c5fa39c0093b9d9f429fef91c2494b7",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "31d3156efe909b53ba174861a3da880c688f5edc",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"lessThan": "3db4404435397a345431b45f57876a3df133f3b4",
"status": "affected",
"version": "c9aa889b035fca4598ae985a0f0c76ebbb547ad2",
"versionType": "git"
},
{
"status": "affected",
"version": "39db562b3fedb93978a7e42dd216b306740959f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.111",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: wait barrier before returning discard request with REQ_NOWAIT\n\nraid10_handle_discard should wait barrier before returning a discard bio\nwhich has REQ_NOWAIT. And there is no need to print warning calltrace\nif a discard bio has REQ_NOWAIT flag. Quality engineer usually checks\ndmesg and reports error if dmesg has warning/error calltrace."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T09:50:21.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31ff67982c5fa39c0093b9d9f429fef91c2494b7"
},
{
"url": "https://git.kernel.org/stable/c/31d3156efe909b53ba174861a3da880c688f5edc"
},
{
"url": "https://git.kernel.org/stable/c/3db4404435397a345431b45f57876a3df133f3b4"
}
],
"title": "md/raid10: wait barrier before returning discard request with REQ_NOWAIT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40325",
"datePublished": "2025-04-18T07:01:41.619Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-08T09:50:21.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40360 (GCVE-0-2025-40360)
Vulnerability from cvelistv5
Published
2025-12-16 13:39
Modified
2025-12-16 13:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sysfb: Do not dereference NULL pointer in plane reset
The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not
deref that pointer, but forward NULL to the other plane-reset helpers.
Clears plane->state to NULL.
v2:
- fix typo in commit description (Javier)
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b715650220311e50448cb499c71084ca8aeeeece Version: b715650220311e50448cb499c71084ca8aeeeece Version: b715650220311e50448cb499c71084ca8aeeeece Version: b715650220311e50448cb499c71084ca8aeeeece Version: b715650220311e50448cb499c71084ca8aeeeece Version: b715650220311e50448cb499c71084ca8aeeeece |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem_atomic_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6abeff03cb79a2c7f4554a8e8738acd35bb37152",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "c4faf7f417eea8b8d5cc570a1015736f307aa2d5",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "b61ed8005bd3102510fab5015ac6a275c9c5ea16",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "6bdef5648a60e49d4a3b02461ab7ae3776877e77",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "14e02ed3876f4ab0ed6d3f41972175f8b8df3d70",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem_atomic_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sysfb: Do not dereference NULL pointer in plane reset\n\nThe plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not\nderef that pointer, but forward NULL to the other plane-reset helpers.\nClears plane-\u003estate to NULL.\n\nv2:\n- fix typo in commit description (Javier)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:39:59.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6abeff03cb79a2c7f4554a8e8738acd35bb37152"
},
{
"url": "https://git.kernel.org/stable/c/c4faf7f417eea8b8d5cc570a1015736f307aa2d5"
},
{
"url": "https://git.kernel.org/stable/c/b61ed8005bd3102510fab5015ac6a275c9c5ea16"
},
{
"url": "https://git.kernel.org/stable/c/6bdef5648a60e49d4a3b02461ab7ae3776877e77"
},
{
"url": "https://git.kernel.org/stable/c/c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232"
},
{
"url": "https://git.kernel.org/stable/c/14e02ed3876f4ab0ed6d3f41972175f8b8df3d70"
}
],
"title": "drm/sysfb: Do not dereference NULL pointer in plane reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40360",
"datePublished": "2025-12-16T13:39:59.490Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:39:59.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22990 (GCVE-0-2026-22990)
Vulnerability from cvelistv5
Published
2026-01-23 15:24
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG. Instead, just declare the incremental osdmap to be invalid.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f24e9980eb860d8600cbe5ef3d2fd9295320d229 Version: f24e9980eb860d8600cbe5ef3d2fd9295320d229 Version: f24e9980eb860d8600cbe5ef3d2fd9295320d229 Version: f24e9980eb860d8600cbe5ef3d2fd9295320d229 Version: f24e9980eb860d8600cbe5ef3d2fd9295320d229 Version: f24e9980eb860d8600cbe5ef3d2fd9295320d229 Version: f24e9980eb860d8600cbe5ef3d2fd9295320d229 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9aa0b0c14cefece078286d78b97d4c09685e372d",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "4b106fbb1c7b841cd402abd83eb2447164c799ea",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6afd2a4213524bc742b709599a3663aeaf77193c",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "d3613770e2677683e65d062da5e31f48c409abe9",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6c6cec3db3b418c4fdf815731bc39e46dff75e1b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6348d70af847b79805374fe628d3809a63fd7df3",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "e00c3f71b5cf75681dbd74ee3f982a99cb690c2b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace overzealous BUG_ON in osdmap_apply_incremental()\n\nIf the osdmap is (maliciously) corrupted such that the incremental\nosdmap epoch is different from what is expected, there is no need to\nBUG. Instead, just declare the incremental osdmap to be invalid."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:41.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d"
},
{
"url": "https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea"
},
{
"url": "https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c"
},
{
"url": "https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9"
},
{
"url": "https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b"
},
{
"url": "https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3"
},
{
"url": "https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b"
}
],
"title": "libceph: replace overzealous BUG_ON in osdmap_apply_incremental()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22990",
"datePublished": "2026-01-23T15:24:11.332Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:41.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71191 (GCVE-0-2025-71191)
Vulnerability from cvelistv5
Published
2026-01-31 11:42
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
Make sure to drop the reference taken when looking up the DMA platform
device during of_dma_xlate() when releasing channel resources.
Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing
put_device() call in at_dma_xlate()") fixed the leak in a couple of
error paths but the reference is still leaking on successful allocation.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 Version: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 Version: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 Version: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 Version: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 Version: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 Version: bbe89c8e3d598129b728d1388c3ad9abe4e8e261 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/at_hdmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49d964cde422dc66fea514b7ab24aa729df7081d",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "4c67b4f45c8540ee4e62e24ca4608c6a9a81ee0f",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "48b2d7f530b83cb149dbf0e48f95ccadb2d90da9",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "987c71671367f42460689b78244d7b894c50999a",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "6a86cf2c09e149d5718a5b7090545f7566da9334",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "f3c23b7e941349505c3d40de2cc0acd93d9ac057",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
},
{
"lessThan": "b9074b2d7a230b6e28caa23165e9d8bc0677d333",
"status": "affected",
"version": "bbe89c8e3d598129b728d1388c3ad9abe4e8e261",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/at_hdmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: at_hdmac: fix device leak on of_dma_xlate()\n\nMake sure to drop the reference taken when looking up the DMA platform\ndevice during of_dma_xlate() when releasing channel resources.\n\nNote that commit 3832b78b3ec2 (\"dmaengine: at_hdmac: add missing\nput_device() call in at_dma_xlate()\") fixed the leak in a couple of\nerror paths but the reference is still leaking on successful allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:15.973Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49d964cde422dc66fea514b7ab24aa729df7081d"
},
{
"url": "https://git.kernel.org/stable/c/4c67b4f45c8540ee4e62e24ca4608c6a9a81ee0f"
},
{
"url": "https://git.kernel.org/stable/c/48b2d7f530b83cb149dbf0e48f95ccadb2d90da9"
},
{
"url": "https://git.kernel.org/stable/c/987c71671367f42460689b78244d7b894c50999a"
},
{
"url": "https://git.kernel.org/stable/c/6a86cf2c09e149d5718a5b7090545f7566da9334"
},
{
"url": "https://git.kernel.org/stable/c/f3c23b7e941349505c3d40de2cc0acd93d9ac057"
},
{
"url": "https://git.kernel.org/stable/c/b9074b2d7a230b6e28caa23165e9d8bc0677d333"
}
],
"title": "dmaengine: at_hdmac: fix device leak on of_dma_xlate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71191",
"datePublished": "2026-01-31T11:42:03.545Z",
"dateReserved": "2026-01-31T11:36:51.189Z",
"dateUpdated": "2026-02-09T08:36:15.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68249 (GCVE-0-2025-68249)
Vulnerability from cvelistv5
Published
2025-12-16 14:32
Modified
2025-12-16 14:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: hdm_probe: Fix calling put_device() before device initialization
The early error path in hdm_probe() can jump to err_free_mdev before
&mdev->dev has been initialized with device_initialize(). Calling
put_device(&mdev->dev) there triggers a device core WARN and ends up
invoking kref_put(&kobj->kref, kobject_release) on an uninitialized
kobject.
In this path the private struct was only kmalloc'ed and the intended
release is effectively kfree(mdev) anyway, so free it directly instead
of calling put_device() on an uninitialized device.
This removes the WARNING and fixes the pre-initialization error path.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3509c748e79435d09e730673c8c100b7f0ebc87c",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "ad2be44882716dc3589fbc5572cc13f88ead6b24",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "c400410fe0580dd6118ae8d60287ac9ce71a65fd",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "7d851f746067b8ee5bac9c262f326ace0a6ea253",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "4af0eedbdb4df7936bf43a28e31af232744d2620",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "a8cc9e5fcb0e2eef21513a4fec888f5712cb8162",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: hdm_probe: Fix calling put_device() before device initialization\n\nThe early error path in hdm_probe() can jump to err_free_mdev before\n\u0026mdev-\u003edev has been initialized with device_initialize(). Calling\nput_device(\u0026mdev-\u003edev) there triggers a device core WARN and ends up\ninvoking kref_put(\u0026kobj-\u003ekref, kobject_release) on an uninitialized\nkobject.\n\nIn this path the private struct was only kmalloc\u0027ed and the intended\nrelease is effectively kfree(mdev) anyway, so free it directly instead\nof calling put_device() on an uninitialized device.\n\nThis removes the WARNING and fixes the pre-initialization error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:32:16.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3509c748e79435d09e730673c8c100b7f0ebc87c"
},
{
"url": "https://git.kernel.org/stable/c/ad2be44882716dc3589fbc5572cc13f88ead6b24"
},
{
"url": "https://git.kernel.org/stable/c/c400410fe0580dd6118ae8d60287ac9ce71a65fd"
},
{
"url": "https://git.kernel.org/stable/c/6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95"
},
{
"url": "https://git.kernel.org/stable/c/7d851f746067b8ee5bac9c262f326ace0a6ea253"
},
{
"url": "https://git.kernel.org/stable/c/4af0eedbdb4df7936bf43a28e31af232744d2620"
},
{
"url": "https://git.kernel.org/stable/c/a8cc9e5fcb0e2eef21513a4fec888f5712cb8162"
}
],
"title": "most: usb: hdm_probe: Fix calling put_device() before device initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68249",
"datePublished": "2025-12-16T14:32:16.370Z",
"dateReserved": "2025-12-16T13:41:40.266Z",
"dateUpdated": "2025-12-16T14:32:16.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39998 (GCVE-0-2025-39998)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2026-01-02 15:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: target_core_configfs: Add length check to avoid buffer overflow
A buffer overflow arises from the usage of snprintf to write into the
buffer "buf" in target_lu_gp_members_show function located in
/drivers/target/target_core_configfs.c. This buffer is allocated with
size LU_GROUP_NAME_BUF (256 bytes).
snprintf(...) formats multiple strings into buf with the HBA name
(hba->hba_group.cg_item), a slash character, a devicename (dev->
dev_group.cg_item) and a newline character, the total formatted string
length may exceed the buffer size of 256 bytes.
Since snprintf() returns the total number of bytes that would have been
written (the length of %s/%sn ), this value may exceed the buffer length
(256 bytes) passed to memcpy(), this will ultimately cause function
memcpy reporting a buffer overflow error.
An additional check of the return value of snprintf() can avoid this
buffer overflow.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 Version: c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6eeee5dc0d9221ff96d1b229b1d0222c8871b84",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "764a91e2fc9639e07aac93bc70e387e6b1e33084",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "ddc79fba132b807ff775467acceaf48b456e008b",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "e73fe0eefac3e15bf88fb5b4afae4c76215ee4d4",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "f03aa5e39da7d045615b3951d2a6ca1d7132f881",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "53c6351597e6a17ec6619f6f060d54128cb9a187",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "4b292286949588bd2818e66ff102db278de8dd26",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "a150275831b765b0f1de8b8ff52ec5c6933ac15d",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
},
{
"lessThan": "27e06650a5eafe832a90fd2604f0c5e920857fae",
"status": "affected",
"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: target_core_configfs: Add length check to avoid buffer overflow\n\nA buffer overflow arises from the usage of snprintf to write into the\nbuffer \"buf\" in target_lu_gp_members_show function located in\n/drivers/target/target_core_configfs.c. This buffer is allocated with\nsize LU_GROUP_NAME_BUF (256 bytes).\n\nsnprintf(...) formats multiple strings into buf with the HBA name\n(hba-\u003ehba_group.cg_item), a slash character, a devicename (dev-\u003e\ndev_group.cg_item) and a newline character, the total formatted string\nlength may exceed the buffer size of 256 bytes.\n\nSince snprintf() returns the total number of bytes that would have been\nwritten (the length of %s/%sn ), this value may exceed the buffer length\n(256 bytes) passed to memcpy(), this will ultimately cause function\nmemcpy reporting a buffer overflow error.\n\nAn additional check of the return value of snprintf() can avoid this\nbuffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:48.667Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6eeee5dc0d9221ff96d1b229b1d0222c8871b84"
},
{
"url": "https://git.kernel.org/stable/c/764a91e2fc9639e07aac93bc70e387e6b1e33084"
},
{
"url": "https://git.kernel.org/stable/c/ddc79fba132b807ff775467acceaf48b456e008b"
},
{
"url": "https://git.kernel.org/stable/c/e73fe0eefac3e15bf88fb5b4afae4c76215ee4d4"
},
{
"url": "https://git.kernel.org/stable/c/f03aa5e39da7d045615b3951d2a6ca1d7132f881"
},
{
"url": "https://git.kernel.org/stable/c/53c6351597e6a17ec6619f6f060d54128cb9a187"
},
{
"url": "https://git.kernel.org/stable/c/4b292286949588bd2818e66ff102db278de8dd26"
},
{
"url": "https://git.kernel.org/stable/c/a150275831b765b0f1de8b8ff52ec5c6933ac15d"
},
{
"url": "https://git.kernel.org/stable/c/27e06650a5eafe832a90fd2604f0c5e920857fae"
}
],
"title": "scsi: target: target_core_configfs: Add length check to avoid buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39998",
"datePublished": "2025-10-15T07:58:22.354Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2026-01-02T15:32:48.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68287 (GCVE-0-2025-68287)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking `dwc3_remove_requests()`,
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with `dwc3_remove_requests()`:
Path 1:
Triggered via `dwc3_gadget_reset_interrupt()` during USB reset
handling. The call stack includes:
- `dwc3_ep0_reset_state()`
- `dwc3_ep0_stall_and_restart()`
- `dwc3_ep0_out_start()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 2:
Also initiated from `dwc3_gadget_reset_interrupt()`, but through
`dwc3_stop_active_transfers()`. The call stack includes:
- `dwc3_stop_active_transfers()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 3:
Occurs independently during `adb root` execution, which triggers
USB function unbind and bind operations. The sequence includes:
- `gserial_disconnect()`
- `usb_ep_disable()`
- `dwc3_gadget_ep_disable()`
- `dwc3_remove_requests()` with `-ESHUTDOWN` status
Path 3 operates asynchronously and lacks synchronization with Paths
1 and 2. When Path 3 completes, it disables endpoints and frees 'out'
requests. If Paths 1 or 2 are still processing these requests,
accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing
if already completed and added the request status for ep0 while queue.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 72246da40f3719af3bfd104a2365b32537c27d83 Version: 72246da40f3719af3bfd104a2365b32537c27d83 Version: 72246da40f3719af3bfd104a2365b32537c27d83 Version: 72246da40f3719af3bfd104a2365b32537c27d83 Version: 72246da40f3719af3bfd104a2365b32537c27d83 Version: 72246da40f3719af3bfd104a2365b32537c27d83 Version: 72246da40f3719af3bfd104a2365b32537c27d83 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "467add9db13219101f14b6cc5477998b4aaa5fe2",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "67192e8cb7f941b5bba91e4bb290683576ce1607",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "47de14d741cc4057046c9e2f33df1f7828254e6c",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "afc0e34f161ce61ad351303c46eb57bd44b8b090",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "7cfb62888eba292fa35cd9ddbd28ce595f60e139",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "fa5eaf701e576880070b60922200557ae4aa54e1",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "e4037689a366743c4233966f0e74bc455820d316",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths\n\nThis patch addresses a race condition caused by unsynchronized\nexecution of multiple call paths invoking `dwc3_remove_requests()`,\nleading to premature freeing of USB requests and subsequent crashes.\n\nThree distinct execution paths interact with `dwc3_remove_requests()`:\nPath 1:\nTriggered via `dwc3_gadget_reset_interrupt()` during USB reset\nhandling. The call stack includes:\n- `dwc3_ep0_reset_state()`\n- `dwc3_ep0_stall_and_restart()`\n- `dwc3_ep0_out_start()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 2:\nAlso initiated from `dwc3_gadget_reset_interrupt()`, but through\n`dwc3_stop_active_transfers()`. The call stack includes:\n- `dwc3_stop_active_transfers()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 3:\nOccurs independently during `adb root` execution, which triggers\nUSB function unbind and bind operations. The sequence includes:\n- `gserial_disconnect()`\n- `usb_ep_disable()`\n- `dwc3_gadget_ep_disable()`\n- `dwc3_remove_requests()` with `-ESHUTDOWN` status\n\nPath 3 operates asynchronously and lacks synchronization with Paths\n1 and 2. When Path 3 completes, it disables endpoints and frees \u0027out\u0027\nrequests. If Paths 1 or 2 are still processing these requests,\naccessing freed memory leads to a crash due to use-after-free conditions.\n\nTo fix this added check for request completion and skip processing\nif already completed and added the request status for ep0 while queue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:08.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2"
},
{
"url": "https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607"
},
{
"url": "https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c"
},
{
"url": "https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090"
},
{
"url": "https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139"
},
{
"url": "https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1"
},
{
"url": "https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316"
}
],
"title": "usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68287",
"datePublished": "2025-12-16T15:06:08.711Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:08.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68775 (GCVE-0-2025-68775)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/handshake: duplicate handshake cancellations leak socket
When a handshake request is cancelled it is removed from the
handshake_net->hn_requests list, but it is still present in the
handshake_rhashtbl until it is destroyed.
If a second cancellation request arrives for the same handshake request,
then remove_pending() will return false... and assuming
HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue
processing through the out_true label, where we put another reference on
the sock and a refcount underflow occurs.
This can happen for example if a handshake times out - particularly if
the SUNRPC client sends the AUTH_TLS probe to the server but doesn't
follow it up with the ClientHello due to a problem with tlshd. When the
timeout is hit on the server, the server will send a FIN, which triggers
a cancellation request via xs_reset_transport(). When the timeout is
hit on the client, another cancellation request happens via
xs_tls_handshake_sync().
Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel
path so duplicate cancels can be detected.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "011ae80c49d9bfa5b4336f8bd387cd25c7593663",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "e1641177e7fb48a0a5a06658d4aab51da6656659",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "3c330f1dee3cd92b57e19b9d21dc8ce5970b09be",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "15564bd67e2975002f2a8e9defee33e321d3183f",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: duplicate handshake cancellations leak socket\n\nWhen a handshake request is cancelled it is removed from the\nhandshake_net-\u003ehn_requests list, but it is still present in the\nhandshake_rhashtbl until it is destroyed.\n\nIf a second cancellation request arrives for the same handshake request,\nthen remove_pending() will return false... and assuming\nHANDSHAKE_F_REQ_COMPLETED isn\u0027t set in req-\u003ehr_flags, we\u0027ll continue\nprocessing through the out_true label, where we put another reference on\nthe sock and a refcount underflow occurs.\n\nThis can happen for example if a handshake times out - particularly if\nthe SUNRPC client sends the AUTH_TLS probe to the server but doesn\u0027t\nfollow it up with the ClientHello due to a problem with tlshd. When the\ntimeout is hit on the server, the server will send a FIN, which triggers\na cancellation request via xs_reset_transport(). When the timeout is\nhit on the client, another cancellation request happens via\nxs_tls_handshake_sync().\n\nAdd a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel\npath so duplicate cancels can be detected."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:20.645Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663"
},
{
"url": "https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659"
},
{
"url": "https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be"
},
{
"url": "https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f"
}
],
"title": "net/handshake: duplicate handshake cancellations leak socket",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68775",
"datePublished": "2026-01-13T15:28:52.069Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:20.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71131 (GCVE-0-2025-71131)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
As soon as crypto_aead_encrypt is called, the underlying request
may be freed by an asynchronous completion. Thus dereferencing
req->iv after it returns is invalid.
Instead of checking req->iv against info, create a new variable
unaligned_info and use it for that purpose instead.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 Version: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 Version: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 Version: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 Version: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 Version: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 Version: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/seqiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18202537856e0fae079fed2c9308780bcff2bb9d",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "baf0e2d1e03ddb04781dfe7f22a654d3611f69b2",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "50f196d2bbaee4ab2494bb1b0d294deba292951a",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "0279978adec6f1296af66b642cce641c6580be46",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "ccbb96434d88e32358894c879457b33f7508e798",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "5476f7f8a311236604b78fcc5b2a63b3a61b0169",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "50fdb78b7c0bcc550910ef69c0984e751cac72fa",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/seqiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: seqiv - Do not use req-\u003eiv after crypto_aead_encrypt\n\nAs soon as crypto_aead_encrypt is called, the underlying request\nmay be freed by an asynchronous completion. Thus dereferencing\nreq-\u003eiv after it returns is invalid.\n\nInstead of checking req-\u003eiv against info, create a new variable\nunaligned_info and use it for that purpose instead."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:27.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18202537856e0fae079fed2c9308780bcff2bb9d"
},
{
"url": "https://git.kernel.org/stable/c/baf0e2d1e03ddb04781dfe7f22a654d3611f69b2"
},
{
"url": "https://git.kernel.org/stable/c/50f196d2bbaee4ab2494bb1b0d294deba292951a"
},
{
"url": "https://git.kernel.org/stable/c/0279978adec6f1296af66b642cce641c6580be46"
},
{
"url": "https://git.kernel.org/stable/c/ccbb96434d88e32358894c879457b33f7508e798"
},
{
"url": "https://git.kernel.org/stable/c/5476f7f8a311236604b78fcc5b2a63b3a61b0169"
},
{
"url": "https://git.kernel.org/stable/c/50fdb78b7c0bcc550910ef69c0984e751cac72fa"
}
],
"title": "crypto: seqiv - Do not use req-\u003eiv after crypto_aead_encrypt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71131",
"datePublished": "2026-01-14T15:07:47.194Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:27.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71156 (GCVE-0-2025-71156)
Vulnerability from cvelistv5
Published
2026-01-23 14:25
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: defer interrupt enabling until NAPI registration
Currently, interrupts are automatically enabled immediately upon
request. This allows interrupt to fire before the associated NAPI
context is fully initialized and cause failures like below:
[ 0.946369] Call Trace:
[ 0.946369] <IRQ>
[ 0.946369] __napi_poll+0x2a/0x1e0
[ 0.946369] net_rx_action+0x2f9/0x3f0
[ 0.946369] handle_softirqs+0xd6/0x2c0
[ 0.946369] ? handle_edge_irq+0xc1/0x1b0
[ 0.946369] __irq_exit_rcu+0xc3/0xe0
[ 0.946369] common_interrupt+0x81/0xa0
[ 0.946369] </IRQ>
[ 0.946369] <TASK>
[ 0.946369] asm_common_interrupt+0x22/0x40
[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10
Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto
enablement and explicitly enable the interrupt in NAPI initialization
path (and disable it during NAPI teardown).
This ensures that interrupt lifecycle is strictly coupled with
readiness of NAPI context.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_main.c",
"drivers/net/ethernet/google/gve/gve_utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f5b7f49bd2377916ad57cbd1210c61196daff013",
"status": "affected",
"version": "1dfc2e46117e5c41037e27e859e75a7518881ee6",
"versionType": "git"
},
{
"lessThan": "48f9277680925e1a8623d6b2c50aadb7af824ace",
"status": "affected",
"version": "1dfc2e46117e5c41037e27e859e75a7518881ee6",
"versionType": "git"
},
{
"lessThan": "3d970eda003441f66551a91fda16478ac0711617",
"status": "affected",
"version": "1dfc2e46117e5c41037e27e859e75a7518881ee6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_main.c",
"drivers/net/ethernet/google/gve/gve_utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: defer interrupt enabling until NAPI registration\n\nCurrently, interrupts are automatically enabled immediately upon\nrequest. This allows interrupt to fire before the associated NAPI\ncontext is fully initialized and cause failures like below:\n\n[ 0.946369] Call Trace:\n[ 0.946369] \u003cIRQ\u003e\n[ 0.946369] __napi_poll+0x2a/0x1e0\n[ 0.946369] net_rx_action+0x2f9/0x3f0\n[ 0.946369] handle_softirqs+0xd6/0x2c0\n[ 0.946369] ? handle_edge_irq+0xc1/0x1b0\n[ 0.946369] __irq_exit_rcu+0xc3/0xe0\n[ 0.946369] common_interrupt+0x81/0xa0\n[ 0.946369] \u003c/IRQ\u003e\n[ 0.946369] \u003cTASK\u003e\n[ 0.946369] asm_common_interrupt+0x22/0x40\n[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10\n\nUse the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto\nenablement and explicitly enable the interrupt in NAPI initialization\npath (and disable it during NAPI teardown).\n\nThis ensures that interrupt lifecycle is strictly coupled with\nreadiness of NAPI context."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:54.497Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f5b7f49bd2377916ad57cbd1210c61196daff013"
},
{
"url": "https://git.kernel.org/stable/c/48f9277680925e1a8623d6b2c50aadb7af824ace"
},
{
"url": "https://git.kernel.org/stable/c/3d970eda003441f66551a91fda16478ac0711617"
}
],
"title": "gve: defer interrupt enabling until NAPI registration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71156",
"datePublished": "2026-01-23T14:25:55.456Z",
"dateReserved": "2026-01-13T15:30:19.663Z",
"dateUpdated": "2026-02-09T08:35:54.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71114 (GCVE-0-2025-71114)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
via_wdt: fix critical boot hang due to unnamed resource allocation
The VIA watchdog driver uses allocate_resource() to reserve a MMIO
region for the watchdog control register. However, the allocated
resource was not given a name, which causes the kernel resource tree
to contain an entry marked as "<BAD>" under /proc/iomem on x86
platforms.
During boot, this unnamed resource can lead to a critical hang because
subsequent resource lookups and conflict checks fail to handle the
invalid entry properly.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d Version: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d Version: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d Version: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d Version: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d Version: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d Version: dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/watchdog/via_wdt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d56025a3af50db0f3da2792f41eb9943eee5324",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "c7b986adc9e9336066350542ac5a2005d305ae78",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "47c910965c936724070d2a8094a4c3ed8f452856",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "f7b6370d0fbee06a867037d675797a606cb62e57",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "c6a2dd4f2e4e6cbdfe7a1618160281af897b75db",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
},
{
"lessThan": "7aa31ee9ec92915926e74731378c009c9cc04928",
"status": "affected",
"version": "dc3c56b703dad4aec8a9b3dd86f03a90d0c26a2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/watchdog/via_wdt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvia_wdt: fix critical boot hang due to unnamed resource allocation\n\nThe VIA watchdog driver uses allocate_resource() to reserve a MMIO\nregion for the watchdog control register. However, the allocated\nresource was not given a name, which causes the kernel resource tree\nto contain an entry marked as \"\u003cBAD\u003e\" under /proc/iomem on x86\nplatforms.\n\nDuring boot, this unnamed resource can lead to a critical hang because\nsubsequent resource lookups and conflict checks fail to handle the\ninvalid entry properly."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:08.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d56025a3af50db0f3da2792f41eb9943eee5324"
},
{
"url": "https://git.kernel.org/stable/c/c7b986adc9e9336066350542ac5a2005d305ae78"
},
{
"url": "https://git.kernel.org/stable/c/47c910965c936724070d2a8094a4c3ed8f452856"
},
{
"url": "https://git.kernel.org/stable/c/d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d"
},
{
"url": "https://git.kernel.org/stable/c/f7b6370d0fbee06a867037d675797a606cb62e57"
},
{
"url": "https://git.kernel.org/stable/c/c6a2dd4f2e4e6cbdfe7a1618160281af897b75db"
},
{
"url": "https://git.kernel.org/stable/c/7aa31ee9ec92915926e74731378c009c9cc04928"
}
],
"title": "via_wdt: fix critical boot hang due to unnamed resource allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71114",
"datePublished": "2026-01-14T15:06:00.848Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:08.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40248 (GCVE-0-2025-40248)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Ignore signal/timeout on connect() if already established
During connect(), acting on a signal/timeout by disconnecting an already
established socket leads to several issues:
1. connect() invoking vsock_transport_cancel_pkt() ->
virtio_transport_purge_skbs() may race with sendmsg() invoking
virtio_transport_get_credit(). This results in a permanently elevated
`vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
2. connect() resetting a connected socket's state may race with socket
being placed in a sockmap. A disconnected socket remaining in a sockmap
breaks sockmap's assumptions. And gives rise to WARNs.
3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
transport change/drop after TCP_ESTABLISHED. Which poses a problem for
any simultaneous sendmsg() or connect() and may result in a
use-after-free/null-ptr-deref.
Do not disconnect socket on signal/timeout. Keep the logic for unconnected
sockets: they don't linger, can't be placed in a sockmap, are rejected by
sendmsg().
[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 Version: d021c344051af91f42c5ba9fdedc176740cbd238 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f71753935d648082a8279a97d30efe6b85be680",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "da664101fb4a0de5cb70d2bae6a650df954df2af",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "67432915145848658149683101104e32f9fd6559",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "eeca93f06df89be5a36305b7b9dae1ed65550dfc",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "5998da5a8208ae9ad7838ba322bccb2bdcd95e81",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "f1c170cae285e4b8f61be043bb17addc3d0a14b5",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "ab6b19f690d89ae4709fba73a3c4a7911f495b7a",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "002541ef650b742a198e4be363881439bb9d86b4",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Ignore signal/timeout on connect() if already established\n\nDuring connect(), acting on a signal/timeout by disconnecting an already\nestablished socket leads to several issues:\n\n1. connect() invoking vsock_transport_cancel_pkt() -\u003e\n virtio_transport_purge_skbs() may race with sendmsg() invoking\n virtio_transport_get_credit(). This results in a permanently elevated\n `vvs-\u003ebytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.\n\n2. connect() resetting a connected socket\u0027s state may race with socket\n being placed in a sockmap. A disconnected socket remaining in a sockmap\n breaks sockmap\u0027s assumptions. And gives rise to WARNs.\n\n3. connect() transitioning SS_CONNECTED -\u003e SS_UNCONNECTED allows for a\n transport change/drop after TCP_ESTABLISHED. Which poses a problem for\n any simultaneous sendmsg() or connect() and may result in a\n use-after-free/null-ptr-deref.\n\nDo not disconnect socket on signal/timeout. Keep the logic for unconnected\nsockets: they don\u0027t linger, can\u0027t be placed in a sockmap, are rejected by\nsendmsg().\n\n[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/\n[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/\n[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:46.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f71753935d648082a8279a97d30efe6b85be680"
},
{
"url": "https://git.kernel.org/stable/c/da664101fb4a0de5cb70d2bae6a650df954df2af"
},
{
"url": "https://git.kernel.org/stable/c/67432915145848658149683101104e32f9fd6559"
},
{
"url": "https://git.kernel.org/stable/c/eeca93f06df89be5a36305b7b9dae1ed65550dfc"
},
{
"url": "https://git.kernel.org/stable/c/5998da5a8208ae9ad7838ba322bccb2bdcd95e81"
},
{
"url": "https://git.kernel.org/stable/c/f1c170cae285e4b8f61be043bb17addc3d0a14b5"
},
{
"url": "https://git.kernel.org/stable/c/ab6b19f690d89ae4709fba73a3c4a7911f495b7a"
},
{
"url": "https://git.kernel.org/stable/c/002541ef650b742a198e4be363881439bb9d86b4"
}
],
"title": "vsock: Ignore signal/timeout on connect() if already established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40248",
"datePublished": "2025-12-04T16:08:11.509Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:46.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39955 (GCVE-0-2025-39955)
Vulnerability from cvelistv5
Published
2025-10-09 09:47
Modified
2025-10-09 09:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk
in the TCP_ESTABLISHED state. [0]
syzbot reused the server-side TCP Fast Open socket as a new client before
the TFO socket completes 3WHS:
1. accept()
2. connect(AF_UNSPEC)
3. connect() to another destination
As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes
it to TCP_CLOSE and makes connect() possible, which restarts timers.
Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the
retransmit timer triggered the warning and the intended packet was not
retransmitted.
Let's call reqsk_fastopen_remove() in tcp_disconnect().
[0]:
WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Modules linked in:
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e
RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293
RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017
RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400
RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8
R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540
R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0
FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0
Call Trace:
<IRQ>
tcp_write_timer (net/ipv4/tcp_timer.c:738)
call_timer_fn (kernel/time/timer.c:1747)
__run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)
timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)
tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)
__walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))
tmigr_handle_remote (kernel/time/timer_migration.c:1096)
handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)
irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))
</IRQ>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 Version: 8336886f786fdacbc19b719c1f7ea91eb70706d4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ec092a91ff351dcde89c23e795b73a328274db6",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "a4378dedd6e07e62f2fccb17d78c9665718763d0",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "33a4fdf0b4a25f8ce65380c3b0136b407ca57609",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "17d699727577814198d744d6afe54735c6b54c99",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "dfd06131107e7b699ef1e2a24ed2f7d17c917753",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "fa4749c065644af4db496b338452a69a3e5147d9",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "ae313d14b45eca7a6bb29cb9bf396d977e7d28fb",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
},
{
"lessThan": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"status": "affected",
"version": "8336886f786fdacbc19b719c1f7ea91eb70706d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().\n\nsyzbot reported the splat below where a socket had tcp_sk(sk)-\u003efastopen_rsk\nin the TCP_ESTABLISHED state. [0]\n\nsyzbot reused the server-side TCP Fast Open socket as a new client before\nthe TFO socket completes 3WHS:\n\n 1. accept()\n 2. connect(AF_UNSPEC)\n 3. connect() to another destination\n\nAs of accept(), sk-\u003esk_state is TCP_SYN_RECV, and tcp_disconnect() changes\nit to TCP_CLOSE and makes connect() possible, which restarts timers.\n\nSince tcp_disconnect() forgot to clear tcp_sk(sk)-\u003efastopen_rsk, the\nretransmit timer triggered the warning and the intended packet was not\nretransmitted.\n\nLet\u0027s call reqsk_fastopen_remove() in tcp_disconnect().\n\n[0]:\nWARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nModules linked in:\nCPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nCode: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 \u003c0f\u003e 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e\nRSP: 0018:ffffc900002f8d40 EFLAGS: 00010293\nRAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017\nRDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400\nRBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8\nR10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540\nR13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0\nFS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_write_timer (net/ipv4/tcp_timer.c:738)\n call_timer_fn (kernel/time/timer.c:1747)\n __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)\n timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)\n tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)\n __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))\n tmigr_handle_remote (kernel/time/timer_migration.c:1096)\n handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)\n irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T09:47:33.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ec092a91ff351dcde89c23e795b73a328274db6"
},
{
"url": "https://git.kernel.org/stable/c/a4378dedd6e07e62f2fccb17d78c9665718763d0"
},
{
"url": "https://git.kernel.org/stable/c/33a4fdf0b4a25f8ce65380c3b0136b407ca57609"
},
{
"url": "https://git.kernel.org/stable/c/17d699727577814198d744d6afe54735c6b54c99"
},
{
"url": "https://git.kernel.org/stable/c/dfd06131107e7b699ef1e2a24ed2f7d17c917753"
},
{
"url": "https://git.kernel.org/stable/c/fa4749c065644af4db496b338452a69a3e5147d9"
},
{
"url": "https://git.kernel.org/stable/c/ae313d14b45eca7a6bb29cb9bf396d977e7d28fb"
},
{
"url": "https://git.kernel.org/stable/c/45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01"
}
],
"title": "tcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39955",
"datePublished": "2025-10-09T09:47:33.556Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-09T09:47:33.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40115 (GCVE-0-2025-40115)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
During mpt3sas_transport_port_remove(), messages were logged with
dev_printk() against &mpt3sas_port->port->dev. At this point the SAS
transport device may already be partially unregistered or freed, leading
to a crash when accessing its struct device.
Using ioc_info(), which logs via the PCI device (ioc->pdev->dev),
guaranteed to remain valid until driver removal.
[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI
[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)
[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024
[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70
[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff
[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206
[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32
[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845
[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8
[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000
[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30
[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000
[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0
[83428.295844] PKRU: 55555554
[83428.295846] Call Trace:
[83428.295848] <TASK>
[83428.295850] _dev_printk+0x5c/0x80
[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]
[83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]
[83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]
[83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]
[83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]
[83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]
[83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]
[83428.295957] pci_device_remove+0x3b/0xb0
[83428.295962] device_release_driver_internal+0x193/0x200
[83428.295968] driver_detach+0x44/0x90
[83428.295971] bus_remove_driver+0x69/0xf0
[83428.295975] pci_unregister_driver+0x2a/0xb0
[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]
[83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310
[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296000] ? __x64_sys_getdents64+0x9a/0x110
[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296009] ? syscall_trace_enter+0xf6/0x1b0
[83428.296014] do_syscall_64+0x7b/0x2c0
[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 Version: f92363d12359498f9a9960511de1a550f0ec41c2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3a6d153861d0f29b80882470d14aafb8d687dc2",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "4e1442bae50ed633c2fe8058f47cd79b4ad88b9b",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "a89253eb4e648deace48a4e38996afd182eb95e3",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "fa153fb40c61f8ca01237427c97a0b93ba32c403",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "6459dba4f35017448535a799cf699d5205eb5489",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
},
{
"lessThan": "1703fe4f8ae50d1fb6449854e1fcaed1053e3a14",
"status": "affected",
"version": "f92363d12359498f9a9960511de1a550f0ec41c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix crash in transport port remove by using ioc_info()\n\nDuring mpt3sas_transport_port_remove(), messages were logged with\ndev_printk() against \u0026mpt3sas_port-\u003eport-\u003edev. At this point the SAS\ntransport device may already be partially unregistered or freed, leading\nto a crash when accessing its struct device.\n\nUsing ioc_info(), which logs via the PCI device (ioc-\u003epdev-\u003edev),\nguaranteed to remain valid until driver removal.\n\n[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI\n[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)\n[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024\n[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70\n[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 \u003c48\u003e 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff\n[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206\n[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32\n[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845\n[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8\n[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000\n[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30\n[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000\n[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0\n[83428.295844] PKRU: 55555554\n[83428.295846] Call Trace:\n[83428.295848] \u003cTASK\u003e\n[83428.295850] _dev_printk+0x5c/0x80\n[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]\n[83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]\n[83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]\n[83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]\n[83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]\n[83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]\n[83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]\n[83428.295957] pci_device_remove+0x3b/0xb0\n[83428.295962] device_release_driver_internal+0x193/0x200\n[83428.295968] driver_detach+0x44/0x90\n[83428.295971] bus_remove_driver+0x69/0xf0\n[83428.295975] pci_unregister_driver+0x2a/0xb0\n[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]\n[83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310\n[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296000] ? __x64_sys_getdents64+0x9a/0x110\n[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296009] ? syscall_trace_enter+0xf6/0x1b0\n[83428.296014] do_syscall_64+0x7b/0x2c0\n[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:18.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3a6d153861d0f29b80882470d14aafb8d687dc2"
},
{
"url": "https://git.kernel.org/stable/c/4e1442bae50ed633c2fe8058f47cd79b4ad88b9b"
},
{
"url": "https://git.kernel.org/stable/c/a89253eb4e648deace48a4e38996afd182eb95e3"
},
{
"url": "https://git.kernel.org/stable/c/fa153fb40c61f8ca01237427c97a0b93ba32c403"
},
{
"url": "https://git.kernel.org/stable/c/6459dba4f35017448535a799cf699d5205eb5489"
},
{
"url": "https://git.kernel.org/stable/c/1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62"
},
{
"url": "https://git.kernel.org/stable/c/970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8"
},
{
"url": "https://git.kernel.org/stable/c/1703fe4f8ae50d1fb6449854e1fcaed1053e3a14"
}
],
"title": "scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40115",
"datePublished": "2025-11-12T10:23:17.283Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:18.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68769 (GCVE-0-2025-68769)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix return value of f2fs_recover_fsync_data()
With below scripts, it will trigger panic in f2fs:
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync
echo 111 >> /mnt/f2fs/foo
f2fs_io fsync /mnt/f2fs/foo
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
mount -o ro,norecovery /dev/vdd /mnt/f2fs
or
mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
F2FS-fs (vdd): Stopped filesystem due to reason: 0
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
Filesystem f2fs get_tree() didn't set fc->root, returned 1
------------[ cut here ]------------
kernel BUG at fs/super.c:1761!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vfs_get_tree.cold+0x18/0x1a
Call Trace:
<TASK>
fc_mount+0x13/0xa0
path_mount+0x34e/0xc50
__x64_sys_mount+0x121/0x150
do_syscall_64+0x84/0x800
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa6cc126cfe
The root cause is we missed to handle error number returned from
f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
ro,disable_roll_forward mount option, result in returning a positive
error number to vfs_get_tree(), fix it.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 Version: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 Version: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 Version: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 Version: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 Version: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 Version: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 Version: 1499d39b74f5957e932639a86487ccea5a0a9740 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "0de4977a1eeafe9d77701e3c031a1bcdba389243",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "9bc246018aaa3b46a7710428d0a2196c229f9d49",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "a4c67d96f92eefcfa5596a08f069e77b743c5865",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "473550e715654ad7612aa490d583cb7c25fe2ff3",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "4560db9678a2c5952b6205fbca468c6805c2ba2a",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "01fba45deaddcce0d0b01c411435d1acf6feab7b",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"status": "affected",
"version": "1499d39b74f5957e932639a86487ccea5a0a9740",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.172",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_recover_fsync_data()\n\nWith below scripts, it will trigger panic in f2fs:\n\nmkfs.f2fs -f /dev/vdd\nmount /dev/vdd /mnt/f2fs\ntouch /mnt/f2fs/foo\nsync\necho 111 \u003e\u003e /mnt/f2fs/foo\nf2fs_io fsync /mnt/f2fs/foo\nf2fs_io shutdown 2 /mnt/f2fs\numount /mnt/f2fs\nmount -o ro,norecovery /dev/vdd /mnt/f2fs\nor\nmount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs\n\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0\nF2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f\nF2FS-fs (vdd): Stopped filesystem due to reason: 0\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1\nFilesystem f2fs get_tree() didn\u0027t set fc-\u003eroot, returned 1\n------------[ cut here ]------------\nkernel BUG at fs/super.c:1761!\nOops: invalid opcode: 0000 [#1] SMP PTI\nCPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:vfs_get_tree.cold+0x18/0x1a\nCall Trace:\n \u003cTASK\u003e\n fc_mount+0x13/0xa0\n path_mount+0x34e/0xc50\n __x64_sys_mount+0x121/0x150\n do_syscall_64+0x84/0x800\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fa6cc126cfe\n\nThe root cause is we missed to handle error number returned from\nf2fs_recover_fsync_data() when mounting image w/ ro,norecovery or\nro,disable_roll_forward mount option, result in returning a positive\nerror number to vfs_get_tree(), fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:14.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725"
},
{
"url": "https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243"
},
{
"url": "https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49"
},
{
"url": "https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865"
},
{
"url": "https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3"
},
{
"url": "https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a"
},
{
"url": "https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b"
}
],
"title": "f2fs: fix return value of f2fs_recover_fsync_data()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68769",
"datePublished": "2026-01-13T15:28:47.798Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:14.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68337 (GCVE-0-2025-68337)
Vulnerability from cvelistv5
Published
2025-12-22 16:14
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
There's issue when file system corrupted:
------------[ cut here ]------------
kernel BUG at fs/jbd2/transaction.c:1289!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0
Call Trace:
<TASK>
__ext4_journal_get_create_access+0x42/0x170
ext4_getblk+0x319/0x6f0
ext4_bread+0x11/0x100
ext4_append+0x1e6/0x4a0
ext4_init_new_dir+0x145/0x1d0
ext4_mkdir+0x326/0x920
vfs_mkdir+0x45c/0x740
do_mkdirat+0x234/0x2f0
__x64_sys_mkdir+0xd6/0x120
do_syscall_64+0x5f/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue occurs with us in errors=continue mode when accompanied by
storage failures. There have been many inconsistencies in the file system
data.
In the case of file system data inconsistency, for example, if the block
bitmap of a referenced block is not set, it can lead to the situation where
a block being committed is allocated and used again. As a result, the
following condition will not be satisfied then trigger BUG_ON. Of course,
it is entirely possible to construct a problematic image that can trigger
this BUG_ON through specific operations. In fact, I have constructed such
an image and easily reproduced this issue.
Therefore, J_ASSERT() holds true only under ideal conditions, but it may
not necessarily be satisfied in exceptional scenarios. Using J_ASSERT()
directly in abnormal situations would cause the system to crash, which is
clearly not what we want. So here we directly trigger a JBD abort instead
of immediately invoking BUG_ON.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 470decc613ab2048b619a01028072d932d9086ee Version: 470decc613ab2048b619a01028072d932d9086ee Version: 470decc613ab2048b619a01028072d932d9086ee Version: 470decc613ab2048b619a01028072d932d9086ee Version: 470decc613ab2048b619a01028072d932d9086ee Version: 470decc613ab2048b619a01028072d932d9086ee Version: 470decc613ab2048b619a01028072d932d9086ee Version: 470decc613ab2048b619a01028072d932d9086ee |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71bbe06c40fc59b5b15661eca8ff307f4176d7f9",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "ed62fd8c15d41c4127ad16b8219b63124f5962bc",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "3faac6531d4818cd6be45e5bbf32937bbbc795c0",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "b4f8eabf6d991bd41fabcdf9302c4b3eab590cf4",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "a2a7f854d154a3e9232fec80782dad951655f52f",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "bf34c72337e40c4670cceeb79b353356933a254b",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "aa1703f3f706ea0867fb1991dcac709c9ec94cfb",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "986835bf4d11032bba4ab8414d18fce038c61bb4",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted\n\nThere\u0027s issue when file system corrupted:\n------------[ cut here ]------------\nkernel BUG at fs/jbd2/transaction.c:1289!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next\nRIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0\nRSP: 0018:ffff888117aafa30 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534\nRDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010\nRBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028\nR10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n __ext4_journal_get_create_access+0x42/0x170\n ext4_getblk+0x319/0x6f0\n ext4_bread+0x11/0x100\n ext4_append+0x1e6/0x4a0\n ext4_init_new_dir+0x145/0x1d0\n ext4_mkdir+0x326/0x920\n vfs_mkdir+0x45c/0x740\n do_mkdirat+0x234/0x2f0\n __x64_sys_mkdir+0xd6/0x120\n do_syscall_64+0x5f/0xfa0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue occurs with us in errors=continue mode when accompanied by\nstorage failures. There have been many inconsistencies in the file system\ndata.\nIn the case of file system data inconsistency, for example, if the block\nbitmap of a referenced block is not set, it can lead to the situation where\na block being committed is allocated and used again. As a result, the\nfollowing condition will not be satisfied then trigger BUG_ON. Of course,\nit is entirely possible to construct a problematic image that can trigger\nthis BUG_ON through specific operations. In fact, I have constructed such\nan image and easily reproduced this issue.\nTherefore, J_ASSERT() holds true only under ideal conditions, but it may\nnot necessarily be satisfied in exceptional scenarios. Using J_ASSERT()\ndirectly in abnormal situations would cause the system to crash, which is\nclearly not what we want. So here we directly trigger a JBD abort instead\nof immediately invoking BUG_ON."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:31.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71bbe06c40fc59b5b15661eca8ff307f4176d7f9"
},
{
"url": "https://git.kernel.org/stable/c/ed62fd8c15d41c4127ad16b8219b63124f5962bc"
},
{
"url": "https://git.kernel.org/stable/c/3faac6531d4818cd6be45e5bbf32937bbbc795c0"
},
{
"url": "https://git.kernel.org/stable/c/b4f8eabf6d991bd41fabcdf9302c4b3eab590cf4"
},
{
"url": "https://git.kernel.org/stable/c/a2a7f854d154a3e9232fec80782dad951655f52f"
},
{
"url": "https://git.kernel.org/stable/c/bf34c72337e40c4670cceeb79b353356933a254b"
},
{
"url": "https://git.kernel.org/stable/c/aa1703f3f706ea0867fb1991dcac709c9ec94cfb"
},
{
"url": "https://git.kernel.org/stable/c/986835bf4d11032bba4ab8414d18fce038c61bb4"
}
],
"title": "jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68337",
"datePublished": "2025-12-22T16:14:14.145Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-09T08:31:31.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53114 (GCVE-0-2024-53114)
Vulnerability from cvelistv5
Published
2024-12-02 13:44
Modified
2026-01-05 10:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client
A number of Zen4 client SoCs advertise the ability to use virtualized
VMLOAD/VMSAVE, but using these instructions is reported to be a cause
of a random host reboot.
These instructions aren't intended to be advertised on Zen4 client
so clear the capability.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:10:34.651237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:11.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "00c713f84f477a85e524f34aad8fbd11a1c051f0",
"status": "affected",
"version": "89c8a4984fc98e625517bfe5083342d77ee35811",
"versionType": "git"
},
{
"lessThan": "a5ca1dc46a6b610dd4627d8b633d6c84f9724ef0",
"status": "affected",
"version": "89c8a4984fc98e625517bfe5083342d77ee35811",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.10",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client\n\nA number of Zen4 client SoCs advertise the ability to use virtualized\nVMLOAD/VMSAVE, but using these instructions is reported to be a cause\nof a random host reboot.\n\nThese instructions aren\u0027t intended to be advertised on Zen4 client\nso clear the capability."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:55:32.678Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/00c713f84f477a85e524f34aad8fbd11a1c051f0"
},
{
"url": "https://git.kernel.org/stable/c/a5ca1dc46a6b610dd4627d8b633d6c84f9724ef0"
}
],
"title": "x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53114",
"datePublished": "2024-12-02T13:44:46.142Z",
"dateReserved": "2024-11-19T17:17:24.993Z",
"dateUpdated": "2026-01-05T10:55:32.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38408 (GCVE-0-2025-38408)
Vulnerability from cvelistv5
Published
2025-07-25 13:20
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
genirq/irq_sim: Initialize work context pointers properly
Initialize `ops` member's pointers properly by using kzalloc() instead of
kmalloc() when allocating the simulation work context. Otherwise the
pointers contain random content leading to invalid dereferencing.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1 Version: 337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1 Version: 337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1 Version: 337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1 Version: 337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1 Version: 337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/irq/irq_sim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "186df821de0f34490ed5fc0861243748b2483861",
"status": "affected",
"version": "337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1",
"versionType": "git"
},
{
"lessThan": "c71aa4bb528ae6f8fd7577a0a39e5a03c60b04fb",
"status": "affected",
"version": "337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1",
"versionType": "git"
},
{
"lessThan": "ec3656a8cb428d763def32bc2fa695f94be23629",
"status": "affected",
"version": "337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1",
"versionType": "git"
},
{
"lessThan": "19bd7597858dd15802c1d99fcc38e528f469080a",
"status": "affected",
"version": "337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1",
"versionType": "git"
},
{
"lessThan": "7f73d1def72532bac4d55ea8838f457a6bed955c",
"status": "affected",
"version": "337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1",
"versionType": "git"
},
{
"lessThan": "8a2277a3c9e4cc5398f80821afe7ecbe9bdf2819",
"status": "affected",
"version": "337cbeb2c13eb4cab84f576fd402d7ae4ed31ae1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/irq/irq_sim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/irq_sim: Initialize work context pointers properly\n\nInitialize `ops` member\u0027s pointers properly by using kzalloc() instead of\nkmalloc() when allocating the simulation work context. Otherwise the\npointers contain random content leading to invalid dereferencing."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:19.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/186df821de0f34490ed5fc0861243748b2483861"
},
{
"url": "https://git.kernel.org/stable/c/c71aa4bb528ae6f8fd7577a0a39e5a03c60b04fb"
},
{
"url": "https://git.kernel.org/stable/c/ec3656a8cb428d763def32bc2fa695f94be23629"
},
{
"url": "https://git.kernel.org/stable/c/19bd7597858dd15802c1d99fcc38e528f469080a"
},
{
"url": "https://git.kernel.org/stable/c/7f73d1def72532bac4d55ea8838f457a6bed955c"
},
{
"url": "https://git.kernel.org/stable/c/8a2277a3c9e4cc5398f80821afe7ecbe9bdf2819"
}
],
"title": "genirq/irq_sim: Initialize work context pointers properly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38408",
"datePublished": "2025-07-25T13:20:13.253Z",
"dateReserved": "2025-04-16T04:51:24.013Z",
"dateUpdated": "2026-02-06T16:31:19.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23038 (GCVE-0-2026-23038)
Vulnerability from cvelistv5
Published
2026-01-31 11:42
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
the function jumps to the out_scratch label without freeing the already
allocated dsaddrs list, leading to a memory leak.
Fix this by jumping to the out_err_drain_dsaddrs label, which properly
frees the dsaddrs list before cleaning up other resources.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d67ae825a59d639e4d8b82413af84d854617a87e Version: d67ae825a59d639e4d8b82413af84d854617a87e Version: d67ae825a59d639e4d8b82413af84d854617a87e Version: d67ae825a59d639e4d8b82413af84d854617a87e Version: d67ae825a59d639e4d8b82413af84d854617a87e Version: d67ae825a59d639e4d8b82413af84d854617a87e Version: d67ae825a59d639e4d8b82413af84d854617a87e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/flexfilelayout/flexfilelayoutdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2dde5dafb80f1af4028ed10ad255f42af71c784",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "27c90d8ed81e7a289c9fe41b5e31d8bb609a3385",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "34b9dd179818ff7af2b36410985fd8166573c62d",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "869862056e100973e76ce9f5f1b01837771b7722",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "86da7efd12295a7e2b4abde5e5984c821edd938f",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
},
{
"lessThan": "0c728083654f0066f5e10a1d2b0bd0907af19a58",
"status": "affected",
"version": "d67ae825a59d639e4d8b82413af84d854617a87e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/flexfilelayout/flexfilelayoutdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()\n\nIn nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,\nthe function jumps to the out_scratch label without freeing the already\nallocated dsaddrs list, leading to a memory leak.\n\nFix this by jumping to the out_err_drain_dsaddrs label, which properly\nfrees the dsaddrs list before cleaning up other resources."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:33.004Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2dde5dafb80f1af4028ed10ad255f42af71c784"
},
{
"url": "https://git.kernel.org/stable/c/27c90d8ed81e7a289c9fe41b5e31d8bb609a3385"
},
{
"url": "https://git.kernel.org/stable/c/34b9dd179818ff7af2b36410985fd8166573c62d"
},
{
"url": "https://git.kernel.org/stable/c/869862056e100973e76ce9f5f1b01837771b7722"
},
{
"url": "https://git.kernel.org/stable/c/86da7efd12295a7e2b4abde5e5984c821edd938f"
},
{
"url": "https://git.kernel.org/stable/c/ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb"
},
{
"url": "https://git.kernel.org/stable/c/0c728083654f0066f5e10a1d2b0bd0907af19a58"
}
],
"title": "pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23038",
"datePublished": "2026-01-31T11:42:32.599Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-02-09T08:37:33.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68371 (GCVE-0-2025-68371)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: smartpqi: Fix device resources accessed after device removal
Correct possible race conditions during device removal.
Previously, a scheduled work item to reset a LUN could still execute
after the device was removed, leading to use-after-free and other
resource access issues.
This race condition occurs because the abort handler may schedule a LUN
reset concurrently with device removal via sdev_destroy(), leading to
use-after-free and improper access to freed resources.
- Check in the device reset handler if the device is still present in
the controller's SCSI device list before running; if not, the reset
is skipped.
- Cancel any pending TMF work that has not started in sdev_destroy().
- Ensure device freeing in sdev_destroy() is done while holding the
LUN reset mutex to avoid races with ongoing resets.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2d80f4054f7f901b8ad97358a9069616ac8524c7 Version: 2d80f4054f7f901b8ad97358a9069616ac8524c7 Version: 2d80f4054f7f901b8ad97358a9069616ac8524c7 Version: 2d80f4054f7f901b8ad97358a9069616ac8524c7 Version: 2d80f4054f7f901b8ad97358a9069616ac8524c7 Version: 2d80f4054f7f901b8ad97358a9069616ac8524c7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "6d2390653d82cad0e1ba2676e536dd99678f6ef1",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "eccc02ba1747501d92bb2049e3ce378ba372f641",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "1a5c5a2f88e839af5320216a02ffb075b668596a",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "b518e86d1a70a88f6592a7c396cf1b93493d1aab",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix device resources accessed after device removal\n\nCorrect possible race conditions during device removal.\n\nPreviously, a scheduled work item to reset a LUN could still execute\nafter the device was removed, leading to use-after-free and other\nresource access issues.\n\nThis race condition occurs because the abort handler may schedule a LUN\nreset concurrently with device removal via sdev_destroy(), leading to\nuse-after-free and improper access to freed resources.\n\n - Check in the device reset handler if the device is still present in\n the controller\u0027s SCSI device list before running; if not, the reset\n is skipped.\n\n - Cancel any pending TMF work that has not started in sdev_destroy().\n\n - Ensure device freeing in sdev_destroy() is done while holding the\n LUN reset mutex to avoid races with ongoing resets."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:08.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2"
},
{
"url": "https://git.kernel.org/stable/c/6d2390653d82cad0e1ba2676e536dd99678f6ef1"
},
{
"url": "https://git.kernel.org/stable/c/eccc02ba1747501d92bb2049e3ce378ba372f641"
},
{
"url": "https://git.kernel.org/stable/c/4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1"
},
{
"url": "https://git.kernel.org/stable/c/1a5c5a2f88e839af5320216a02ffb075b668596a"
},
{
"url": "https://git.kernel.org/stable/c/b518e86d1a70a88f6592a7c396cf1b93493d1aab"
}
],
"title": "scsi: smartpqi: Fix device resources accessed after device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68371",
"datePublished": "2025-12-24T10:33:01.896Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-02-09T08:32:08.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71080 (GCVE-0-2025-71080)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
current task can be preempted. Another task running on the same CPU
may then execute rt6_make_pcpu_route() and successfully install a
pcpu_rt entry. When the first task resumes execution, its cmpxchg()
in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
mdelay() after rt6_get_pcpu_route().
Using preempt_disable/enable is not appropriate here because
ip6_rt_pcpu_alloc() may sleep.
Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
free our allocation and return the existing pcpu_rt installed by
another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
kernels where such races should not occur.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
},
{
"lessThan": "787515ccb2292f82eb0876993129154629a49651",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
},
{
"lessThan": "1adaea51c61b52e24e7ab38f7d3eba023b2d050d",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT\n\nOn PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the\ncurrent task can be preempted. Another task running on the same CPU\nmay then execute rt6_make_pcpu_route() and successfully install a\npcpu_rt entry. When the first task resumes execution, its cmpxchg()\nin rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer\nNULL, triggering the BUG_ON(prev). It\u0027s easy to reproduce it by adding\nmdelay() after rt6_get_pcpu_route().\n\nUsing preempt_disable/enable is not appropriate here because\nip6_rt_pcpu_alloc() may sleep.\n\nFix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:\nfree our allocation and return the existing pcpu_rt installed by\nanother task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT\nkernels where such races should not occur."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:31.425Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66"
},
{
"url": "https://git.kernel.org/stable/c/787515ccb2292f82eb0876993129154629a49651"
},
{
"url": "https://git.kernel.org/stable/c/1adaea51c61b52e24e7ab38f7d3eba023b2d050d"
}
],
"title": "ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71080",
"datePublished": "2026-01-13T15:34:44.832Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:31.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22978 (GCVE-0-2026-22978)
Vulnerability from cvelistv5
Published
2026-01-23 15:24
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: avoid kernel-infoleak from struct iw_point
struct iw_point has a 32bit hole on 64bit arches.
struct iw_point {
void __user *pointer; /* Pointer to the data (in user space) */
__u16 length; /* number of fields or size in bytes */
__u16 flags; /* Optional params */
};
Make sure to zero the structure to avoid disclosing 32bits of kernel data
to user space.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 Version: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 Version: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 Version: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 Version: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 Version: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 Version: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/wext-core.c",
"net/wireless/wext-priv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d943b5f592767b107ba8c12a902f17431350378c",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "a3827e310b5a73535646ef4a552d53b3c8bf74f6",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "442ceac0393185e9982323f6682a52a53e8462b1",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "024f71a57d563fbe162e528c8bf2d27e9cac7c7b",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "e3c35177103ead4658b8a62f41e3080d45885464",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "21cbf883d073abbfe09e3924466aa5e0449e7261",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/wext-core.c",
"net/wireless/wext-priv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: avoid kernel-infoleak from struct iw_point\n\nstruct iw_point has a 32bit hole on 64bit arches.\n\nstruct iw_point {\n void __user *pointer; /* Pointer to the data (in user space) */\n __u16 length; /* number of fields or size in bytes */\n __u16 flags; /* Optional params */\n};\n\nMake sure to zero the structure to avoid disclosing 32bits of kernel data\nto user space."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:28.236Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c"
},
{
"url": "https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6"
},
{
"url": "https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1"
},
{
"url": "https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8"
},
{
"url": "https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b"
},
{
"url": "https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464"
},
{
"url": "https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261"
}
],
"title": "wifi: avoid kernel-infoleak from struct iw_point",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22978",
"datePublished": "2026-01-23T15:24:00.482Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:28.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71185 (GCVE-0-2025-71185)
Vulnerability from cvelistv5
Published
2026-01-31 11:41
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
Make sure to drop the reference taken when looking up the crossbar
platform device during am335x route allocation.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 Version: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 Version: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 Version: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 Version: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 Version: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 Version: 42dbdcc6bf965997c088caff2a8be7f9bf44f701 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/dma-crossbar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1befa553f1ecc045dc9ff56107ff50162f63f3c0",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "c933aa74d9f8d35e6cda322c38c4a907d37a9a2b",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "43725bd47d984937c429919ae291896d982d1f17",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "6fdf168f57e331e148a1177a9b590a845c21b315",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "f810132e825588fbad3cba940458c58bb7ec4d84",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "30352277d8e09c972436f883a5efd1f1b763ac14",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
},
{
"lessThan": "4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9",
"status": "affected",
"version": "42dbdcc6bf965997c088caff2a8be7f9bf44f701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/dma-crossbar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: dma-crossbar: fix device leak on am335x route allocation\n\nMake sure to drop the reference taken when looking up the crossbar\nplatform device during am335x route allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:09.661Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1befa553f1ecc045dc9ff56107ff50162f63f3c0"
},
{
"url": "https://git.kernel.org/stable/c/c933aa74d9f8d35e6cda322c38c4a907d37a9a2b"
},
{
"url": "https://git.kernel.org/stable/c/43725bd47d984937c429919ae291896d982d1f17"
},
{
"url": "https://git.kernel.org/stable/c/6fdf168f57e331e148a1177a9b590a845c21b315"
},
{
"url": "https://git.kernel.org/stable/c/f810132e825588fbad3cba940458c58bb7ec4d84"
},
{
"url": "https://git.kernel.org/stable/c/30352277d8e09c972436f883a5efd1f1b763ac14"
},
{
"url": "https://git.kernel.org/stable/c/4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9"
}
],
"title": "dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71185",
"datePublished": "2026-01-31T11:41:57.082Z",
"dateReserved": "2026-01-31T11:36:51.187Z",
"dateUpdated": "2026-02-09T08:36:09.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23268 (GCVE-0-2026-23268)
Vulnerability from cvelistv5
Published
2026-03-18 17:54
Modified
2026-04-18 08:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix unprivileged local user can do privileged policy management
An unprivileged local user can load, replace, and remove profiles by
opening the apparmorfs interfaces, via a confused deputy attack, by
passing the opened fd to a privileged process, and getting the
privileged process to write to the interface.
This does require a privileged target that can be manipulated to do
the write for the unprivileged process, but once such access is
achieved full policy management is possible and all the possible
implications that implies: removing confinement, DoS of system or
target applications by denying all execution, by-passing the
unprivileged user namespace restriction, to exploiting kernel bugs for
a local privilege escalation.
The policy management interface can not have its permissions simply
changed from 0666 to 0600 because non-root processes need to be able
to load policy to different policy namespaces.
Instead ensure the task writing the interface has privileges that
are a subset of the task that opened the interface. This is already
done via policy for confined processes, but unconfined can delegate
access to the opened fd, by-passing the usual policy check.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c Version: b7fd2c0340eacbee892425e9007647568b7f2a3c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy.h",
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a407a078cd41b5261b99d822af784bd9f136eb4d",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "4cafce4d6d0a66ec27e3af5637c11901d60189fa",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "33ee909702e047c94aaf41d4eea35626d509802c",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "17debf5586020790b5717f96e5e6a3ca5bb961ab",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "0fc63dd9170643d15c25681fca792539e23f4640",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "b6a94eeca9c6c8f7c55ad44c62c98324f51ec596",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "6601e13e82841879406bf9f369032656f441a425",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy.h",
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:28.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a407a078cd41b5261b99d822af784bd9f136eb4d"
},
{
"url": "https://git.kernel.org/stable/c/4cafce4d6d0a66ec27e3af5637c11901d60189fa"
},
{
"url": "https://git.kernel.org/stable/c/33ee909702e047c94aaf41d4eea35626d509802c"
},
{
"url": "https://git.kernel.org/stable/c/17debf5586020790b5717f96e5e6a3ca5bb961ab"
},
{
"url": "https://git.kernel.org/stable/c/0fc63dd9170643d15c25681fca792539e23f4640"
},
{
"url": "https://git.kernel.org/stable/c/b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6"
},
{
"url": "https://git.kernel.org/stable/c/b6a94eeca9c6c8f7c55ad44c62c98324f51ec596"
},
{
"url": "https://git.kernel.org/stable/c/6601e13e82841879406bf9f369032656f441a425"
},
{
"url": "https://www.qualys.com/2026/03/10/crack-armor.txt"
}
],
"title": "apparmor: fix unprivileged local user can do privileged policy management",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23268",
"datePublished": "2026-03-18T17:54:41.974Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-04-18T08:57:28.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23125 (GCVE-0-2026-23125)
Vulnerability from cvelistv5
Published
2026-02-14 15:09
Modified
2026-02-14 15:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
initialization fails:
==================================================================
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
Call Trace:
sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
The issue is triggered when sctp_auth_asoc_init_active_key() fails in
sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
command sequence is currently:
- SCTP_CMD_PEER_INIT
- SCTP_CMD_TIMER_STOP (T1_INIT)
- SCTP_CMD_TIMER_START (T1_COOKIE)
- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
- SCTP_CMD_ASSOC_SHKEY
- SCTP_CMD_GEN_COOKIE_ECHO
If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
to be queued by sctp_datamsg_from_user().
Since command interpretation stops on failure, no COOKIE_ECHO should been
sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
in sctp_outq_flush_data(), leading to the observed issue.
Similar to the other places where it calls sctp_auth_asoc_init_active_key()
right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
T1_COOKIE. This ensures that if shared key generation fails, authenticated
DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
giving the client another chance to process INIT_ACK and retry key setup.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 Version: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 Version: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 Version: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 Version: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 Version: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 Version: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a309bedf02ee08b0653215f06c94d61ec7a214a",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "784428ab1889eb185a1459e9d6bc52df33d572ef",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "e94294798548e8cfbd80869e1d2f97efce92582c",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "e7e81abbcc5620c9532080538f9709a6ea382855",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "a80c9d945aef55b23b54838334345f20251dad83",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT\n\nA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key\ninitialization fails:\n\n ==================================================================\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2\n RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]\n RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401\n Call Trace:\n\n sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189\n sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111\n sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217\n sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169\n sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052\n sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88\n sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243\n sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127\n\nThe issue is triggered when sctp_auth_asoc_init_active_key() fails in\nsctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the\ncommand sequence is currently:\n\n- SCTP_CMD_PEER_INIT\n- SCTP_CMD_TIMER_STOP (T1_INIT)\n- SCTP_CMD_TIMER_START (T1_COOKIE)\n- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)\n- SCTP_CMD_ASSOC_SHKEY\n- SCTP_CMD_GEN_COOKIE_ECHO\n\nIf SCTP_CMD_ASSOC_SHKEY fails, asoc-\u003eshkey remains NULL, while\nasoc-\u003epeer.auth_capable and asoc-\u003epeer.peer_chunks have already been set by\nSCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL\nto be queued by sctp_datamsg_from_user().\n\nSince command interpretation stops on failure, no COOKIE_ECHO should been\nsent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already\nbeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. As\na result, the DATA chunk can be transmitted together with the COOKIE_ECHO\nin sctp_outq_flush_data(), leading to the observed issue.\n\nSimilar to the other places where it calls sctp_auth_asoc_init_active_key()\nright after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY\nimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting\nT1_COOKIE. This ensures that if shared key generation fails, authenticated\nDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,\ngiving the client another chance to process INIT_ACK and retry key setup."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:54.756Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a"
},
{
"url": "https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef"
},
{
"url": "https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c"
},
{
"url": "https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855"
},
{
"url": "https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8"
},
{
"url": "https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65"
},
{
"url": "https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83"
}
],
"title": "sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23125",
"datePublished": "2026-02-14T15:09:54.756Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:54.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39980 (GCVE-0-2025-39980)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nexthop: Forbid FDB status change while nexthop is in a group
The kernel forbids the creation of non-FDB nexthop groups with FDB
nexthops:
# ip nexthop add id 1 via 192.0.2.1 fdb
# ip nexthop add id 2 group 1
Error: Non FDB nexthop group cannot have fdb nexthops.
And vice versa:
# ip nexthop add id 3 via 192.0.2.2 dev dummy1
# ip nexthop add id 4 group 3 fdb
Error: FDB nexthop group can only have fdb nexthops.
However, as long as no routes are pointing to a non-FDB nexthop group,
the kernel allows changing the type of a nexthop from FDB to non-FDB and
vice versa:
# ip nexthop add id 5 via 192.0.2.2 dev dummy1
# ip nexthop add id 6 group 5
# ip nexthop replace id 5 via 192.0.2.2 fdb
# echo $?
0
This configuration is invalid and can result in a NPD [1] since FDB
nexthops are not associated with a nexthop device:
# ip route add 198.51.100.1/32 nhid 6
# ping 198.51.100.1
Fix by preventing nexthop FDB status change while the nexthop is in a
group:
# ip nexthop add id 7 via 192.0.2.2 dev dummy1
# ip nexthop add id 8 group 7
# ip nexthop replace id 7 via 192.0.2.2 fdb
Error: Cannot change nexthop FDB status while in a group.
[1]
BUG: kernel NULL pointer dereference, address: 00000000000003c0
[...]
Oops: Oops: 0000 [#1] SMP
CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:fib_lookup_good_nhc+0x1e/0x80
[...]
Call Trace:
<TASK>
fib_table_lookup+0x541/0x650
ip_route_output_key_hash_rcu+0x2ea/0x970
ip_route_output_key_hash+0x55/0x80
__ip4_datagram_connect+0x250/0x330
udp_connect+0x2b/0x60
__sys_connect+0x9c/0xd0
__x64_sys_connect+0x18/0x20
do_syscall_64+0xa4/0x2a0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 38428d68719c454d269cb03b776d8a4b0ad66111 Version: 38428d68719c454d269cb03b776d8a4b0ad66111 Version: 38428d68719c454d269cb03b776d8a4b0ad66111 Version: 38428d68719c454d269cb03b776d8a4b0ad66111 Version: 38428d68719c454d269cb03b776d8a4b0ad66111 Version: 38428d68719c454d269cb03b776d8a4b0ad66111 Version: 38428d68719c454d269cb03b776d8a4b0ad66111 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/nexthop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1e87ac0daacd51f522ecd1645cd76b5809303ed",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "0e7bfe7a268ccbd7859730c529161cafbf44637c",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "ec428fff792b7bd15b248dafca2e654b666b1304",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "24046d31f6f92220852d393d510b6062843e3fbd",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "f0e49fd13afe9dea7a09a1c9537fd00cea22badb",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "8dd4aa0122885f710930de135af2adc4ccc3238f",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
},
{
"lessThan": "390b3a300d7872cef9588f003b204398be69ce08",
"status": "affected",
"version": "38428d68719c454d269cb03b776d8a4b0ad66111",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/nexthop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Forbid FDB status change while nexthop is in a group\n\nThe kernel forbids the creation of non-FDB nexthop groups with FDB\nnexthops:\n\n # ip nexthop add id 1 via 192.0.2.1 fdb\n # ip nexthop add id 2 group 1\n Error: Non FDB nexthop group cannot have fdb nexthops.\n\nAnd vice versa:\n\n # ip nexthop add id 3 via 192.0.2.2 dev dummy1\n # ip nexthop add id 4 group 3 fdb\n Error: FDB nexthop group can only have fdb nexthops.\n\nHowever, as long as no routes are pointing to a non-FDB nexthop group,\nthe kernel allows changing the type of a nexthop from FDB to non-FDB and\nvice versa:\n\n # ip nexthop add id 5 via 192.0.2.2 dev dummy1\n # ip nexthop add id 6 group 5\n # ip nexthop replace id 5 via 192.0.2.2 fdb\n # echo $?\n 0\n\nThis configuration is invalid and can result in a NPD [1] since FDB\nnexthops are not associated with a nexthop device:\n\n # ip route add 198.51.100.1/32 nhid 6\n # ping 198.51.100.1\n\nFix by preventing nexthop FDB status change while the nexthop is in a\ngroup:\n\n # ip nexthop add id 7 via 192.0.2.2 dev dummy1\n # ip nexthop add id 8 group 7\n # ip nexthop replace id 7 via 192.0.2.2 fdb\n Error: Cannot change nexthop FDB status while in a group.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\n[...]\nOops: Oops: 0000 [#1] SMP\nCPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:fib_lookup_good_nhc+0x1e/0x80\n[...]\nCall Trace:\n \u003cTASK\u003e\n fib_table_lookup+0x541/0x650\n ip_route_output_key_hash_rcu+0x2ea/0x970\n ip_route_output_key_hash+0x55/0x80\n __ip4_datagram_connect+0x250/0x330\n udp_connect+0x2b/0x60\n __sys_connect+0x9c/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0xa4/0x2a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:00.275Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1e87ac0daacd51f522ecd1645cd76b5809303ed"
},
{
"url": "https://git.kernel.org/stable/c/0e7bfe7a268ccbd7859730c529161cafbf44637c"
},
{
"url": "https://git.kernel.org/stable/c/ec428fff792b7bd15b248dafca2e654b666b1304"
},
{
"url": "https://git.kernel.org/stable/c/24046d31f6f92220852d393d510b6062843e3fbd"
},
{
"url": "https://git.kernel.org/stable/c/f0e49fd13afe9dea7a09a1c9537fd00cea22badb"
},
{
"url": "https://git.kernel.org/stable/c/8dd4aa0122885f710930de135af2adc4ccc3238f"
},
{
"url": "https://git.kernel.org/stable/c/390b3a300d7872cef9588f003b204398be69ce08"
}
],
"title": "nexthop: Forbid FDB status change while nexthop is in a group",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39980",
"datePublished": "2025-10-15T07:56:00.275Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:00.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68168 (GCVE-0-2025-68168)
Vulnerability from cvelistv5
Published
2025-12-16 13:42
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix uninitialized waitqueue in transaction manager
The transaction manager initialization in txInit() was not properly
initializing TxBlock[0].waitor waitqueue, causing a crash when
txEnd(0) is called on read-only filesystems.
When a filesystem is mounted read-only, txBegin() returns tid=0 to
indicate no transaction. However, txEnd(0) still gets called and
tries to access TxBlock[0].waitor via tid_to_tblock(0), but this
waitqueue was never initialized because the initialization loop
started at index 1 instead of 0.
This causes a 'non-static key' lockdep warning and system crash:
INFO: trying to register non-static key in txEnd
Fix by ensuring all transaction blocks including TxBlock[0] have
their waitqueues properly initialized during txInit().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2a8807f9f511c64de0c7cc9900a1683e3d72a3e5 Version: 5c094ca994824e038b6a97835ded4e5d1d808504 Version: 2febd5f81e4bfba61d9f374dcca628aff374cc56 Version: aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c Version: 95e2b352c03b0a86c5717ba1d24ea20969abcacc Version: 95e2b352c03b0a86c5717ba1d24ea20969abcacc Version: 95e2b352c03b0a86c5717ba1d24ea20969abcacc Version: 95e2b352c03b0a86c5717ba1d24ea20969abcacc Version: a88efca805bea93cea9187dfd00835aa7093bf1b Version: 97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7 Version: b0ed8ed0428ee96092da6fefa5cfacbe4abed701 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_txnmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64",
"status": "affected",
"version": "2a8807f9f511c64de0c7cc9900a1683e3d72a3e5",
"versionType": "git"
},
{
"lessThan": "8cae9cf23e0bd424ac904e753639a587543ce03a",
"status": "affected",
"version": "5c094ca994824e038b6a97835ded4e5d1d808504",
"versionType": "git"
},
{
"lessThan": "a2aa97cde9857f881920635a2e3d3b11769619c5",
"status": "affected",
"version": "2febd5f81e4bfba61d9f374dcca628aff374cc56",
"versionType": "git"
},
{
"lessThan": "d2dd7ca05a11685c314e62802a55e8d67a90e974",
"status": "affected",
"version": "aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c",
"versionType": "git"
},
{
"lessThan": "2a9575a372182ca075070b3cd77490dcf0c951e7",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "cbf2f527ae4ca7c7dabce42e85e8deb58588a37e",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "038861414ab383b41dd35abbf9ff0ef715592d53",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "300b072df72694ea330c4c673c035253e07827b8",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"status": "affected",
"version": "a88efca805bea93cea9187dfd00835aa7093bf1b",
"versionType": "git"
},
{
"status": "affected",
"version": "97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7",
"versionType": "git"
},
{
"status": "affected",
"version": "b0ed8ed0428ee96092da6fefa5cfacbe4abed701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_txnmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix uninitialized waitqueue in transaction manager\n\nThe transaction manager initialization in txInit() was not properly\ninitializing TxBlock[0].waitor waitqueue, causing a crash when\ntxEnd(0) is called on read-only filesystems.\n\nWhen a filesystem is mounted read-only, txBegin() returns tid=0 to\nindicate no transaction. However, txEnd(0) still gets called and\ntries to access TxBlock[0].waitor via tid_to_tblock(0), but this\nwaitqueue was never initialized because the initialization loop\nstarted at index 1 instead of 0.\n\nThis causes a \u0027non-static key\u0027 lockdep warning and system crash:\n INFO: trying to register non-static key in txEnd\n\nFix by ensuring all transaction blocks including TxBlock[0] have\ntheir waitqueues properly initialized during txInit()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:58.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64"
},
{
"url": "https://git.kernel.org/stable/c/8cae9cf23e0bd424ac904e753639a587543ce03a"
},
{
"url": "https://git.kernel.org/stable/c/a2aa97cde9857f881920635a2e3d3b11769619c5"
},
{
"url": "https://git.kernel.org/stable/c/d2dd7ca05a11685c314e62802a55e8d67a90e974"
},
{
"url": "https://git.kernel.org/stable/c/2a9575a372182ca075070b3cd77490dcf0c951e7"
},
{
"url": "https://git.kernel.org/stable/c/cbf2f527ae4ca7c7dabce42e85e8deb58588a37e"
},
{
"url": "https://git.kernel.org/stable/c/038861414ab383b41dd35abbf9ff0ef715592d53"
},
{
"url": "https://git.kernel.org/stable/c/300b072df72694ea330c4c673c035253e07827b8"
}
],
"title": "jfs: fix uninitialized waitqueue in transaction manager",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68168",
"datePublished": "2025-12-16T13:42:48.350Z",
"dateReserved": "2025-12-16T13:41:40.250Z",
"dateUpdated": "2026-01-02T15:33:58.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23061 (GCVE-0-2026-23061)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the
URBs for USB-in transfers are allocated, added to the dev->rx_submitted
anchor and submitted. In the complete callback
kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
kvaser_usb_remove_interfaces() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 080f40a6fa28dab299da7a652e444b1e2d9231e7 Version: 080f40a6fa28dab299da7a652e444b1e2d9231e7 Version: 080f40a6fa28dab299da7a652e444b1e2d9231e7 Version: 080f40a6fa28dab299da7a652e444b1e2d9231e7 Version: 080f40a6fa28dab299da7a652e444b1e2d9231e7 Version: 080f40a6fa28dab299da7a652e444b1e2d9231e7 Version: 080f40a6fa28dab299da7a652e444b1e2d9231e7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9d824582f2ec76459ffab449e9b05c7bc49645c",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "40a3334ffda479c63e416e61ff086485e24401f7",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "c1b39fa24c140bc616f51fef4175c1743e2bb132",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "7c308f7530bffafa994e0aa8dc651a312f4b9ff4",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "94a7fc42e21c7d9d1c49778cd1db52de5df52a01",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "3b1a593eab941c3f32417896cc7df564191f2482",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
},
{
"lessThan": "248e8e1a125fa875158df521b30f2cc7e27eeeaa",
"status": "affected",
"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn kvaser_usb_set_{,data_}bittiming() -\u003e kvaser_usb_setup_rx_urbs(), the\nURBs for USB-in transfers are allocated, added to the dev-\u003erx_submitted\nanchor and submitted. In the complete callback\nkvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nkvaser_usb_remove_interfaces() the URBs are freed by calling\nusb_kill_anchored_urbs(\u0026dev-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nkvaser_usb_read_bulk_callback() to the dev-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:59.685Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c"
},
{
"url": "https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7"
},
{
"url": "https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132"
},
{
"url": "https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4"
},
{
"url": "https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01"
},
{
"url": "https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482"
},
{
"url": "https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa"
}
],
"title": "can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23061",
"datePublished": "2026-02-04T16:07:43.626Z",
"dateReserved": "2026-01-13T15:37:45.952Z",
"dateUpdated": "2026-02-09T08:37:59.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68740 (GCVE-0-2025-68740)
Vulnerability from cvelistv5
Published
2025-12-24 12:09
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Handle error code returned by ima_filter_rule_match()
In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to
the rule being NULL, the function incorrectly skips the 'if (!rc)' check
and sets 'result = true'. The LSM rule is considered a match, causing
extra files to be measured by IMA.
This issue can be reproduced in the following scenario:
After unloading the SELinux policy module via 'semodule -d', if an IMA
measurement is triggered before ima_lsm_rules is updated,
in ima_match_rules(), the first call to ima_filter_rule_match() returns
-ESTALE. This causes the code to enter the 'if (rc == -ESTALE &&
!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In
ima_lsm_copy_rule(), since the SELinux module has been removed, the rule
becomes NULL, and the second call to ima_filter_rule_match() returns
-ENOENT. This bypasses the 'if (!rc)' check and results in a false match.
Call trace:
selinux_audit_rule_match+0x310/0x3b8
security_audit_rule_match+0x60/0xa0
ima_match_rules+0x2e4/0x4a0
ima_match_policy+0x9c/0x1e8
ima_get_action+0x48/0x60
process_measurement+0xf8/0xa98
ima_bprm_check+0x98/0xd8
security_bprm_check+0x5c/0x78
search_binary_handler+0x6c/0x318
exec_binprm+0x58/0x1b8
bprm_execve+0xb8/0x130
do_execveat_common.isra.0+0x1a8/0x258
__arm64_sys_execve+0x48/0x68
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x44/0x200
el0t_64_sync_handler+0x100/0x130
el0t_64_sync+0x3c8/0x3d0
Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error
codes like -ENOENT do not bypass the check and accidentally result in a
successful match.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4af4662fa4a9dc62289c580337ae2506339c4729 Version: 4af4662fa4a9dc62289c580337ae2506339c4729 Version: 4af4662fa4a9dc62289c580337ae2506339c4729 Version: 4af4662fa4a9dc62289c580337ae2506339c4729 Version: 4af4662fa4a9dc62289c580337ae2506339c4729 Version: 4af4662fa4a9dc62289c580337ae2506339c4729 Version: 4af4662fa4a9dc62289c580337ae2506339c4729 Version: 4af4662fa4a9dc62289c580337ae2506339c4729 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "cca3e7df3c0f99542033657ba850b9a6d27f8784",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "c2238d487a640ae3511e1b6f4640ab27ce10d7f6",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "de4431faf308d0c533cb386f5fa9af009bc86158",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "32952c4f4d1b2deb30dce72ba109da808a9018e1",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "738c9738e690f5cea24a3ad6fd2d9a323cf614f6",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Handle error code returned by ima_filter_rule_match()\n\nIn ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to\nthe rule being NULL, the function incorrectly skips the \u0027if (!rc)\u0027 check\nand sets \u0027result = true\u0027. The LSM rule is considered a match, causing\nextra files to be measured by IMA.\n\nThis issue can be reproduced in the following scenario:\nAfter unloading the SELinux policy module via \u0027semodule -d\u0027, if an IMA\nmeasurement is triggered before ima_lsm_rules is updated,\nin ima_match_rules(), the first call to ima_filter_rule_match() returns\n-ESTALE. This causes the code to enter the \u0027if (rc == -ESTALE \u0026\u0026\n!rule_reinitialized)\u0027 block, perform ima_lsm_copy_rule() and retry. In\nima_lsm_copy_rule(), since the SELinux module has been removed, the rule\nbecomes NULL, and the second call to ima_filter_rule_match() returns\n-ENOENT. This bypasses the \u0027if (!rc)\u0027 check and results in a false match.\n\nCall trace:\n selinux_audit_rule_match+0x310/0x3b8\n security_audit_rule_match+0x60/0xa0\n ima_match_rules+0x2e4/0x4a0\n ima_match_policy+0x9c/0x1e8\n ima_get_action+0x48/0x60\n process_measurement+0xf8/0xa98\n ima_bprm_check+0x98/0xd8\n security_bprm_check+0x5c/0x78\n search_binary_handler+0x6c/0x318\n exec_binprm+0x58/0x1b8\n bprm_execve+0xb8/0x130\n do_execveat_common.isra.0+0x1a8/0x258\n __arm64_sys_execve+0x48/0x68\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x44/0x200\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x3c8/0x3d0\n\nFix this by changing \u0027if (!rc)\u0027 to \u0027if (rc \u003c= 0)\u0027 to ensure that error\ncodes like -ENOENT do not bypass the check and accidentally result in a\nsuccessful match."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:44.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51"
},
{
"url": "https://git.kernel.org/stable/c/f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85"
},
{
"url": "https://git.kernel.org/stable/c/88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749"
},
{
"url": "https://git.kernel.org/stable/c/cca3e7df3c0f99542033657ba850b9a6d27f8784"
},
{
"url": "https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6"
},
{
"url": "https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158"
},
{
"url": "https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1"
},
{
"url": "https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6"
}
],
"title": "ima: Handle error code returned by ima_filter_rule_match()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68740",
"datePublished": "2025-12-24T12:09:37.971Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-02-09T08:32:44.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22977 (GCVE-0-2026-22977)
Vulnerability from cvelistv5
Published
2026-01-21 13:08
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sock: fix hardened usercopy panic in sock_recv_errqueue
skbuff_fclone_cache was created without defining a usercopy region,
[1] unlike skbuff_head_cache which properly whitelists the cb[] field.
[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is
enabled and the kernel attempts to copy sk_buff.cb data to userspace
via sock_recv_errqueue() -> put_cmsg().
The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()
(from skbuff_fclone_cache) [1]
2. The skb is cloned via skb_clone() using the pre-allocated fclone
[3] 3. The cloned skb is queued to sk_error_queue for timestamp
reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)
5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb
[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no
usercopy whitelist [5]
When cloned skbs allocated from skbuff_fclone_cache are used in the
socket error queue, accessing the sock_exterr_skb structure in skb->cb
via put_cmsg() triggers a usercopy hardening violation:
[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)!
[ 5.382796] kernel BUG at mm/usercopy.c:102!
[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7
[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80
[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490
[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246
[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74
[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0
[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74
[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001
[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00
[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000
[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0
[ 5.384903] PKRU: 55555554
[ 5.384903] Call Trace:
[ 5.384903] <TASK>
[ 5.384903] __check_heap_object+0x9a/0xd0
[ 5.384903] __check_object_size+0x46c/0x690
[ 5.384903] put_cmsg+0x129/0x5e0
[ 5.384903] sock_recv_errqueue+0x22f/0x380
[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? schedule+0x6d/0x270
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? mutex_unlock+0x81/0xd0
[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10
[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10
[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0
[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
The crash offset 296 corresponds to skb2->cb within skbuff_fclones:
- sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -
offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =
272 + 24 (inside sock_exterr_skb.ee)
This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.
[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885
[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104
[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566
[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491
[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 Version: 6d07d1cd300f4c7e16005f881fea388164999cc8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88dd6be7ebb3153b662c2cebcb06e032a92857f5",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "c655d2167bf014d4c61b4faeca59b60ff9b9f6b1",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "8c6901aa29626e35045130bac09b75f791acca85",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "582a5e922a9652fcbb7d0165c95d5b20aa37575d",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "005671c60fcf1dbdb8bddf12a62568fd5e4ec391",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "e00b169eaac5f7cdbf710c354c8fa76d02009115",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
},
{
"lessThan": "2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20",
"status": "affected",
"version": "6d07d1cd300f4c7e16005f881fea388164999cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sock: fix hardened usercopy panic in sock_recv_errqueue\n\nskbuff_fclone_cache was created without defining a usercopy region,\n[1] unlike skbuff_head_cache which properly whitelists the cb[] field.\n[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is\nenabled and the kernel attempts to copy sk_buff.cb data to userspace\nvia sock_recv_errqueue() -\u003e put_cmsg().\n\nThe crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()\n (from skbuff_fclone_cache) [1]\n2. The skb is cloned via skb_clone() using the pre-allocated fclone\n[3] 3. The cloned skb is queued to sk_error_queue for timestamp\nreporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)\n5. sock_recv_errqueue() calls put_cmsg() to copy serr-\u003eee from skb-\u003ecb\n[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no\n usercopy whitelist [5]\n\nWhen cloned skbs allocated from skbuff_fclone_cache are used in the\nsocket error queue, accessing the sock_exterr_skb structure in skb-\u003ecb\nvia put_cmsg() triggers a usercopy hardening violation:\n\n[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object \u0027skbuff_fclone_cache\u0027 (offset 296, size 16)!\n[ 5.382796] kernel BUG at mm/usercopy.c:102!\n[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7\n[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80\n[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff \u003c0f\u003e 0b 490\n[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246\n[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74\n[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0\n[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74\n[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001\n[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00\n[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000\n[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0\n[ 5.384903] PKRU: 55555554\n[ 5.384903] Call Trace:\n[ 5.384903] \u003cTASK\u003e\n[ 5.384903] __check_heap_object+0x9a/0xd0\n[ 5.384903] __check_object_size+0x46c/0x690\n[ 5.384903] put_cmsg+0x129/0x5e0\n[ 5.384903] sock_recv_errqueue+0x22f/0x380\n[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? schedule+0x6d/0x270\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? mutex_unlock+0x81/0xd0\n[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10\n[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10\n[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0\n[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n\nThe crash offset 296 corresponds to skb2-\u003ecb within skbuff_fclones:\n - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -\n offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =\n 272 + 24 (inside sock_exterr_skb.ee)\n\nThis patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.\n\n[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885\n[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104\n[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566\n[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491\n[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:27.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88dd6be7ebb3153b662c2cebcb06e032a92857f5"
},
{
"url": "https://git.kernel.org/stable/c/c655d2167bf014d4c61b4faeca59b60ff9b9f6b1"
},
{
"url": "https://git.kernel.org/stable/c/8c6901aa29626e35045130bac09b75f791acca85"
},
{
"url": "https://git.kernel.org/stable/c/582a5e922a9652fcbb7d0165c95d5b20aa37575d"
},
{
"url": "https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391"
},
{
"url": "https://git.kernel.org/stable/c/e00b169eaac5f7cdbf710c354c8fa76d02009115"
},
{
"url": "https://git.kernel.org/stable/c/2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20"
}
],
"title": "net: sock: fix hardened usercopy panic in sock_recv_errqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22977",
"datePublished": "2026-01-21T13:08:54.858Z",
"dateReserved": "2026-01-13T15:37:45.935Z",
"dateUpdated": "2026-02-09T08:36:27.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68379 (GCVE-0-2025-68379)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
A NULL pointer dereference can occur in rxe_srq_chk_attr() when
ibv_modify_srq() is invoked twice in succession under certain error
conditions. The first call may fail in rxe_queue_resize(), which leads
rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then
triggers a crash (null deref) when accessing
srq->rq.queue->buf->index_mask.
Call Trace:
<TASK>
rxe_modify_srq+0x170/0x480 [rdma_rxe]
? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]
? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]
? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]
ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]
? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]
? tryinc_node_nr_active+0xe6/0x150
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]
? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]
? __pfx___raw_spin_lock_irqsave+0x10/0x10
? __pfx_do_vfs_ioctl+0x10/0x10
? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0
? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]
? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]
__x64_sys_ioctl+0x138/0x1c0
do_syscall_64+0x82/0x250
? fdget_pos+0x58/0x4c0
? ksys_write+0xf3/0x1c0
? __pfx_ksys_write+0x10/0x10
? do_syscall_64+0xc8/0x250
? __pfx_vm_mmap_pgoff+0x10/0x10
? fget+0x173/0x230
? fput+0x2a/0x80
? ksys_mmap_pgoff+0x224/0x4c0
? do_syscall_64+0xc8/0x250
? do_user_addr_fault+0x37b/0xfe0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58aca869babd48cb9c3d6ee9e1452c4b9f5266a6",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "5dbeb421e137824aa9bd8358bdfc926a3965fc0d",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "bc4c14a3863cc0e03698caec9a0cdabd779776ee",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "503a5e4690ae14c18570141bc0dcf7501a8419b0",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_srq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix null deref on srq-\u003erq.queue after resize failure\n\nA NULL pointer dereference can occur in rxe_srq_chk_attr() when\nibv_modify_srq() is invoked twice in succession under certain error\nconditions. The first call may fail in rxe_queue_resize(), which leads\nrxe_srq_from_attr() to set srq-\u003erq.queue = NULL. The second call then\ntriggers a crash (null deref) when accessing\nsrq-\u003erq.queue-\u003ebuf-\u003eindex_mask.\n\nCall Trace:\n\u003cTASK\u003e\nrxe_modify_srq+0x170/0x480 [rdma_rxe]\n? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]\n? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]\n? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]\nib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]\n? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]\n? tryinc_node_nr_active+0xe6/0x150\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\nib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]\n? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]\n? __pfx___raw_spin_lock_irqsave+0x10/0x10\n? __pfx_do_vfs_ioctl+0x10/0x10\n? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0\n? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10\nib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]\n? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]\n__x64_sys_ioctl+0x138/0x1c0\ndo_syscall_64+0x82/0x250\n? fdget_pos+0x58/0x4c0\n? ksys_write+0xf3/0x1c0\n? __pfx_ksys_write+0x10/0x10\n? do_syscall_64+0xc8/0x250\n? __pfx_vm_mmap_pgoff+0x10/0x10\n? fget+0x173/0x230\n? fput+0x2a/0x80\n? ksys_mmap_pgoff+0x224/0x4c0\n? do_syscall_64+0xc8/0x250\n? do_user_addr_fault+0x37b/0xfe0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:17.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58aca869babd48cb9c3d6ee9e1452c4b9f5266a6"
},
{
"url": "https://git.kernel.org/stable/c/b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7"
},
{
"url": "https://git.kernel.org/stable/c/5dbeb421e137824aa9bd8358bdfc926a3965fc0d"
},
{
"url": "https://git.kernel.org/stable/c/bc4c14a3863cc0e03698caec9a0cdabd779776ee"
},
{
"url": "https://git.kernel.org/stable/c/503a5e4690ae14c18570141bc0dcf7501a8419b0"
}
],
"title": "RDMA/rxe: Fix null deref on srq-\u003erq.queue after resize failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68379",
"datePublished": "2025-12-24T10:33:07.538Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-02-09T08:32:17.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71085 (GCVE-0-2025-71085)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 Version: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 Version: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 Version: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 Version: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 Version: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 Version: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86f365897068d09418488165a68b23cb5baa37f2",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "6b7522424529556c9cbc15e15e7bd4eeae310910",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "2bb759062efa188ea5d07242a43e5aa5464bbae1",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "c53aa6a5086f03f19564096ee084a202a8c738c0",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "bf3709738d8a8cc6fa275773170c5c29511a0b24",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "73744ad5696dce0e0f43872aba8de6a83d6ad570",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "58fc7342b529803d3c221101102fe913df7adb83",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead \u003c 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom \u003e INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) \u003c 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom \u003e skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom \u003e INT_MAX and delta \u003c= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = \u0026dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg-\u003ecmsg_len = cmsg_len;\n cmsg-\u003ecmsg_level = IPPROTO_IPV6;\n cmsg-\u003ecmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, \u0026msg, 0);"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:36.802Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2"
},
{
"url": "https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910"
},
{
"url": "https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1"
},
{
"url": "https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0"
},
{
"url": "https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24"
},
{
"url": "https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570"
},
{
"url": "https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83"
}
],
"title": "ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71085",
"datePublished": "2026-01-13T15:34:48.324Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:36.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39987 (GCVE-0-2025-39987)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, hi3110_hard_start_xmit() receives a CAN XL frame which it is
not able to correctly handle and will thus misinterpret it as a CAN
frame. The driver will consume frame->len as-is with no further
checks.
This can result in a buffer overflow later on in hi3110_hw_tx() on
this line:
memcpy(buf + HI3110_FIFO_EXT_DATA_OFF,
frame->data, frame->len);
Here, frame->len corresponds to the flags field of the CAN XL frame.
In our previous example, we set canxl_frame->flags to 0xff. Because
the maximum expected length is 8, a buffer overflow of 247 bytes
occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d Version: 57e83fb9b7468c75cb65cde1d23043553c346c6d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2c247e9581024d8b3dd44cbe086bf2bebbef42c",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "8f351db6b2367991f0736b2cff082f5de4872113",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "7ab85762274c0fa997f0ef9a2307b2001aae43c4",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "57d332ce8c921d0e340650470bb0c1d707f216ee",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "be1b25005fd0f9d4e78bec6695711ef87ee33398",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "def814b4ba31b563584061d6895d5ff447d5bc14",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "e77fdf9e33a83a08f04ab0cb68c19ddb365a622f",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
},
{
"lessThan": "ac1c7656fa717f29fac3ea073af63f0b9919ec9a",
"status": "affected",
"version": "57e83fb9b7468c75cb65cde1d23043553c346c6d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the sun4i_can driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, hi3110_hard_start_xmit() receives a CAN XL frame which it is\nnot able to correctly handle and will thus misinterpret it as a CAN\nframe. The driver will consume frame-\u003elen as-is with no further\nchecks.\n\nThis can result in a buffer overflow later on in hi3110_hw_tx() on\nthis line:\n\n\tmemcpy(buf + HI3110_FIFO_EXT_DATA_OFF,\n\t frame-\u003edata, frame-\u003elen);\n\nHere, frame-\u003elen corresponds to the flags field of the CAN XL frame.\nIn our previous example, we set canxl_frame-\u003eflags to 0xff. Because\nthe maximum expected length is 8, a buffer overflow of 247 bytes\noccurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:05.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2c247e9581024d8b3dd44cbe086bf2bebbef42c"
},
{
"url": "https://git.kernel.org/stable/c/8f351db6b2367991f0736b2cff082f5de4872113"
},
{
"url": "https://git.kernel.org/stable/c/7ab85762274c0fa997f0ef9a2307b2001aae43c4"
},
{
"url": "https://git.kernel.org/stable/c/57d332ce8c921d0e340650470bb0c1d707f216ee"
},
{
"url": "https://git.kernel.org/stable/c/be1b25005fd0f9d4e78bec6695711ef87ee33398"
},
{
"url": "https://git.kernel.org/stable/c/def814b4ba31b563584061d6895d5ff447d5bc14"
},
{
"url": "https://git.kernel.org/stable/c/e77fdf9e33a83a08f04ab0cb68c19ddb365a622f"
},
{
"url": "https://git.kernel.org/stable/c/ac1c7656fa717f29fac3ea073af63f0b9919ec9a"
}
],
"title": "can: hi311x: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39987",
"datePublished": "2025-10-15T07:56:05.878Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:05.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40173 (GCVE-0-2025-40173)
Vulnerability from cvelistv5
Published
2025-11-12 10:53
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/ip6_tunnel: Prevent perpetual tunnel growth
Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too.
While ipv4 tunnel headroom adjustment growth was limited in
commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"),
ipv6 tunnel yet increases the headroom without any ceiling.
Reflect ipv4 tunnel headroom adjustment limit on ipv6 version.
Credits to Francesco Ruggeri, who was originally debugging this issue
and wrote local Arista-specific patch and a reproducer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8eb30be0352d09165e94a41fef1c7b994dca0714 Version: 8eb30be0352d09165e94a41fef1c7b994dca0714 Version: 8eb30be0352d09165e94a41fef1c7b994dca0714 Version: 8eb30be0352d09165e94a41fef1c7b994dca0714 Version: 8eb30be0352d09165e94a41fef1c7b994dca0714 Version: 8eb30be0352d09165e94a41fef1c7b994dca0714 Version: 8eb30be0352d09165e94a41fef1c7b994dca0714 Version: 8eb30be0352d09165e94a41fef1c7b994dca0714 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip_tunnels.h",
"net/ipv4/ip_tunnel.c",
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "566f8d5c8a443f2dd69c5460fdec43ed1c870c65",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "11f6066af3bfb8149aa16c42c0b0c5ea5b199a94",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "402b6985e872b4cf394bbbf33b503947a326a6cb",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "10fe967efe73c610e526ff7460581610633dee9c",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "48294a67863c9cfa367abb66bbf0ef6548ae124f",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "eeb4345488672584db4f8c20a1ae13a212ce31c4",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "b6eb25d870f1a8ae571fd3da2244b71df547824b",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
},
{
"lessThan": "21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16",
"status": "affected",
"version": "8eb30be0352d09165e94a41fef1c7b994dca0714",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip_tunnels.h",
"net/ipv4/ip_tunnel.c",
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ip6_tunnel: Prevent perpetual tunnel growth\n\nSimilarly to ipv4 tunnel, ipv6 version updates dev-\u003eneeded_headroom, too.\nWhile ipv4 tunnel headroom adjustment growth was limited in\ncommit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"),\nipv6 tunnel yet increases the headroom without any ceiling.\n\nReflect ipv4 tunnel headroom adjustment limit on ipv6 version.\n\nCredits to Francesco Ruggeri, who was originally debugging this issue\nand wrote local Arista-specific patch and a reproducer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:28.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/566f8d5c8a443f2dd69c5460fdec43ed1c870c65"
},
{
"url": "https://git.kernel.org/stable/c/11f6066af3bfb8149aa16c42c0b0c5ea5b199a94"
},
{
"url": "https://git.kernel.org/stable/c/402b6985e872b4cf394bbbf33b503947a326a6cb"
},
{
"url": "https://git.kernel.org/stable/c/10fe967efe73c610e526ff7460581610633dee9c"
},
{
"url": "https://git.kernel.org/stable/c/48294a67863c9cfa367abb66bbf0ef6548ae124f"
},
{
"url": "https://git.kernel.org/stable/c/eeb4345488672584db4f8c20a1ae13a212ce31c4"
},
{
"url": "https://git.kernel.org/stable/c/b6eb25d870f1a8ae571fd3da2244b71df547824b"
},
{
"url": "https://git.kernel.org/stable/c/21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16"
}
],
"title": "net/ip6_tunnel: Prevent perpetual tunnel growth",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40173",
"datePublished": "2025-11-12T10:53:49.571Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:28.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71100 (GCVE-0-2025-71100)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
TID getting from ieee80211_get_tid() might be out of range of array size
of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise,
UBSAN warn:
UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30
index 10 is out of range for type 'rtl_tid_data [9]'
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9765d6eb8298b07d499cdf9ef7c237d3540102d6",
"status": "affected",
"version": "8ca4cdef93297c9b9bf08da39bc940bd20acbb94",
"versionType": "git"
},
{
"lessThan": "90a15ff324645aa806d81fa349497cd964861b66",
"status": "affected",
"version": "8ca4cdef93297c9b9bf08da39bc940bd20acbb94",
"versionType": "git"
},
{
"lessThan": "dd39edb445f07400e748da967a07d5dca5c5f96e",
"status": "affected",
"version": "8ca4cdef93297c9b9bf08da39bc940bd20acbb94",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()\n\nTID getting from ieee80211_get_tid() might be out of range of array size\nof sta_entry-\u003etids[], so check TID is less than MAX_TID_COUNT. Othwerwise,\nUBSAN warn:\n\n UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30\n index 10 is out of range for type \u0027rtl_tid_data [9]\u0027"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:53.029Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9765d6eb8298b07d499cdf9ef7c237d3540102d6"
},
{
"url": "https://git.kernel.org/stable/c/90a15ff324645aa806d81fa349497cd964861b66"
},
{
"url": "https://git.kernel.org/stable/c/dd39edb445f07400e748da967a07d5dca5c5f96e"
}
],
"title": "wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71100",
"datePublished": "2026-01-13T15:34:59.039Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-02-09T08:34:53.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38248 (GCVE-0-2025-38248)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2026-01-30 15:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bridge: mcast: Fix use-after-free during router port configuration
The bridge maintains a global list of ports behind which a multicast
router resides. The list is consulted during forwarding to ensure
multicast packets are forwarded to these ports even if the ports are not
member in the matching MDB entry.
When per-VLAN multicast snooping is enabled, the per-port multicast
context is disabled on each port and the port is removed from the global
router port list:
# ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1
# ip link add name dummy1 up master br1 type dummy
# ip link set dev dummy1 type bridge_slave mcast_router 2
$ bridge -d mdb show | grep router
router ports on br1: dummy1
# ip link set dev br1 type bridge mcast_vlan_snooping 1
$ bridge -d mdb show | grep router
However, the port can be re-added to the global list even when per-VLAN
multicast snooping is enabled:
# ip link set dev dummy1 type bridge_slave mcast_router 0
# ip link set dev dummy1 type bridge_slave mcast_router 2
$ bridge -d mdb show | grep router
router ports on br1: dummy1
Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement
br_multicast_{enable, disable}_port functions"), when per-VLAN multicast
snooping is enabled, multicast disablement on a port will disable the
per-{port, VLAN} multicast contexts and not the per-port one. As a
result, a port will remain in the global router port list even after it
is deleted. This will lead to a use-after-free [1] when the list is
traversed (when adding a new port to the list, for example):
# ip link del dev dummy1
# ip link add name dummy2 up master br1 type dummy
# ip link set dev dummy2 type bridge_slave mcast_router 2
Similarly, stale entries can also be found in the per-VLAN router port
list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}
contexts are disabled on each port and the port is removed from the
per-VLAN router port list:
# ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1
# ip link add name dummy1 up master br1 type dummy
# bridge vlan add vid 2 dev dummy1
# bridge vlan global set vid 2 dev br1 mcast_snooping 1
# bridge vlan set vid 2 dev dummy1 mcast_router 2
$ bridge vlan global show dev br1 vid 2 | grep router
router ports: dummy1
# ip link set dev br1 type bridge mcast_vlan_snooping 0
$ bridge vlan global show dev br1 vid 2 | grep router
However, the port can be re-added to the per-VLAN list even when
per-VLAN multicast snooping is disabled:
# bridge vlan set vid 2 dev dummy1 mcast_router 0
# bridge vlan set vid 2 dev dummy1 mcast_router 2
$ bridge vlan global show dev br1 vid 2 | grep router
router ports: dummy1
When the VLAN is deleted from the port, the per-{port, VLAN} multicast
context will not be disabled since multicast snooping is not enabled
on the VLAN. As a result, the port will remain in the per-VLAN router
port list even after it is no longer member in the VLAN. This will lead
to a use-after-free [2] when the list is traversed (when adding a new
port to the list, for example):
# ip link add name dummy2 up master br1 type dummy
# bridge vlan add vid 2 dev dummy2
# bridge vlan del vid 2 dev dummy1
# bridge vlan set vid 2 dev dummy2 mcast_router 2
Fix these issues by removing the port from the relevant (global or
per-VLAN) router port list in br_multicast_port_ctx_deinit(). The
function is invoked during port deletion with the per-port multicast
context and during VLAN deletion with the per-{port, VLAN} multicast
context.
Note that deleting the multicast router timer is not enough as it only
takes care of the temporary multicast router states (1 or 3) and not the
permanent one (2).
[1]
BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560
Write of size 8 at addr ffff888004a67328 by task ip/384
[...]
Call Trace:
<TASK>
dump_stack
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_multicast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d3c2a1d4c7c33103f1ddfdbc5cfe1ea4f6d0dcd",
"status": "affected",
"version": "2796d846d74a18cc6563e96eff8bf28c5e06f912",
"versionType": "git"
},
{
"lessThan": "bdced577da71b118b6ed4242ebd47f81bf54d406",
"status": "affected",
"version": "2796d846d74a18cc6563e96eff8bf28c5e06f912",
"versionType": "git"
},
{
"lessThan": "f05a4f9e959e0fc098046044c650acf897ea52d2",
"status": "affected",
"version": "2796d846d74a18cc6563e96eff8bf28c5e06f912",
"versionType": "git"
},
{
"lessThan": "7544f3f5b0b58c396f374d060898b5939da31709",
"status": "affected",
"version": "2796d846d74a18cc6563e96eff8bf28c5e06f912",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_multicast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mcast: Fix use-after-free during router port configuration\n\nThe bridge maintains a global list of ports behind which a multicast\nrouter resides. The list is consulted during forwarding to ensure\nmulticast packets are forwarded to these ports even if the ports are not\nmember in the matching MDB entry.\n\nWhen per-VLAN multicast snooping is enabled, the per-port multicast\ncontext is disabled on each port and the port is removed from the global\nrouter port list:\n\n # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1\n # ip link add name dummy1 up master br1 type dummy\n # ip link set dev dummy1 type bridge_slave mcast_router 2\n $ bridge -d mdb show | grep router\n router ports on br1: dummy1\n # ip link set dev br1 type bridge mcast_vlan_snooping 1\n $ bridge -d mdb show | grep router\n\nHowever, the port can be re-added to the global list even when per-VLAN\nmulticast snooping is enabled:\n\n # ip link set dev dummy1 type bridge_slave mcast_router 0\n # ip link set dev dummy1 type bridge_slave mcast_router 2\n $ bridge -d mdb show | grep router\n router ports on br1: dummy1\n\nSince commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement\nbr_multicast_{enable, disable}_port functions\"), when per-VLAN multicast\nsnooping is enabled, multicast disablement on a port will disable the\nper-{port, VLAN} multicast contexts and not the per-port one. As a\nresult, a port will remain in the global router port list even after it\nis deleted. This will lead to a use-after-free [1] when the list is\ntraversed (when adding a new port to the list, for example):\n\n # ip link del dev dummy1\n # ip link add name dummy2 up master br1 type dummy\n # ip link set dev dummy2 type bridge_slave mcast_router 2\n\nSimilarly, stale entries can also be found in the per-VLAN router port\nlist. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}\ncontexts are disabled on each port and the port is removed from the\nper-VLAN router port list:\n\n # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1\n # ip link add name dummy1 up master br1 type dummy\n # bridge vlan add vid 2 dev dummy1\n # bridge vlan global set vid 2 dev br1 mcast_snooping 1\n # bridge vlan set vid 2 dev dummy1 mcast_router 2\n $ bridge vlan global show dev br1 vid 2 | grep router\n router ports: dummy1\n # ip link set dev br1 type bridge mcast_vlan_snooping 0\n $ bridge vlan global show dev br1 vid 2 | grep router\n\nHowever, the port can be re-added to the per-VLAN list even when\nper-VLAN multicast snooping is disabled:\n\n # bridge vlan set vid 2 dev dummy1 mcast_router 0\n # bridge vlan set vid 2 dev dummy1 mcast_router 2\n $ bridge vlan global show dev br1 vid 2 | grep router\n router ports: dummy1\n\nWhen the VLAN is deleted from the port, the per-{port, VLAN} multicast\ncontext will not be disabled since multicast snooping is not enabled\non the VLAN. As a result, the port will remain in the per-VLAN router\nport list even after it is no longer member in the VLAN. This will lead\nto a use-after-free [2] when the list is traversed (when adding a new\nport to the list, for example):\n\n # ip link add name dummy2 up master br1 type dummy\n # bridge vlan add vid 2 dev dummy2\n # bridge vlan del vid 2 dev dummy1\n # bridge vlan set vid 2 dev dummy2 mcast_router 2\n\nFix these issues by removing the port from the relevant (global or\nper-VLAN) router port list in br_multicast_port_ctx_deinit(). The\nfunction is invoked during port deletion with the per-port multicast\ncontext and during VLAN deletion with the per-{port, VLAN} multicast\ncontext.\n\nNote that deleting the multicast router timer is not enough as it only\ntakes care of the temporary multicast router states (1 or 3) and not the\npermanent one (2).\n\n[1]\nBUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560\nWrite of size 8 at addr ffff888004a67328 by task ip/384\n[...]\nCall Trace:\n \u003cTASK\u003e\n dump_stack\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T15:35:32.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d3c2a1d4c7c33103f1ddfdbc5cfe1ea4f6d0dcd"
},
{
"url": "https://git.kernel.org/stable/c/bdced577da71b118b6ed4242ebd47f81bf54d406"
},
{
"url": "https://git.kernel.org/stable/c/f05a4f9e959e0fc098046044c650acf897ea52d2"
},
{
"url": "https://git.kernel.org/stable/c/7544f3f5b0b58c396f374d060898b5939da31709"
}
],
"title": "bridge: mcast: Fix use-after-free during router port configuration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38248",
"datePublished": "2025-07-09T10:42:29.133Z",
"dateReserved": "2025-04-16T04:51:23.997Z",
"dateUpdated": "2026-01-30T15:35:32.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39937 (GCVE-0-2025-39937)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from
device property") rfkill_find_type() gets called with the possibly
uninitialized "const char *type_name;" local variable.
On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752"
acpi_device, the rfkill->type is set based on the ACPI acpi_device_id:
rfkill->type = (unsigned)id->driver_data;
and there is no "type" property so device_property_read_string() will fail
and leave type_name uninitialized, leading to a potential crash.
rfkill_find_type() does accept a NULL pointer, fix the potential crash
by initializing type_name to NULL.
Note likely sofar this has not been caught because:
1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device
2. The stack happened to contain NULL where type_name is stored
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f Version: 7d5e9737efda16535e5b54bd627ef4881d11d31f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rfkill/rfkill-gpio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "184f608a68f96794e8fe58cd5535014d53622cde",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "8793e7a8e1b60131a825457174ed6398111daeb7",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "ada2282259243387e6b6e89239aeb4897e62f051",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "47ade5f9d70b23a119ec20b1c6504864b2543a79",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "689aee35ce671aab752f159e5c8e66d7685e6887",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "21ba85d9d508422ca9e6698463ff9357c928c22d",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "21a39b958b4bcf44f7674bfbbe1bbb8cad0d842d",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
},
{
"lessThan": "b6f56a44e4c1014b08859dcf04ed246500e310e5",
"status": "affected",
"version": "7d5e9737efda16535e5b54bd627ef4881d11d31f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rfkill/rfkill-gpio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer\n\nSince commit 7d5e9737efda (\"net: rfkill: gpio: get the name and type from\ndevice property\") rfkill_find_type() gets called with the possibly\nuninitialized \"const char *type_name;\" local variable.\n\nOn x86 systems when rfkill-gpio binds to a \"BCM4752\" or \"LNV4752\"\nacpi_device, the rfkill-\u003etype is set based on the ACPI acpi_device_id:\n\n rfkill-\u003etype = (unsigned)id-\u003edriver_data;\n\nand there is no \"type\" property so device_property_read_string() will fail\nand leave type_name uninitialized, leading to a potential crash.\n\nrfkill_find_type() does accept a NULL pointer, fix the potential crash\nby initializing type_name to NULL.\n\nNote likely sofar this has not been caught because:\n\n1. Not many x86 machines actually have a \"BCM4752\"/\"LNV4752\" acpi_device\n2. The stack happened to contain NULL where type_name is stored"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:01.924Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/184f608a68f96794e8fe58cd5535014d53622cde"
},
{
"url": "https://git.kernel.org/stable/c/8793e7a8e1b60131a825457174ed6398111daeb7"
},
{
"url": "https://git.kernel.org/stable/c/ada2282259243387e6b6e89239aeb4897e62f051"
},
{
"url": "https://git.kernel.org/stable/c/47ade5f9d70b23a119ec20b1c6504864b2543a79"
},
{
"url": "https://git.kernel.org/stable/c/689aee35ce671aab752f159e5c8e66d7685e6887"
},
{
"url": "https://git.kernel.org/stable/c/21ba85d9d508422ca9e6698463ff9357c928c22d"
},
{
"url": "https://git.kernel.org/stable/c/21a39b958b4bcf44f7674bfbbe1bbb8cad0d842d"
},
{
"url": "https://git.kernel.org/stable/c/b6f56a44e4c1014b08859dcf04ed246500e310e5"
}
],
"title": "net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39937",
"datePublished": "2025-10-04T07:31:00.879Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:01.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40116 (GCVE-0-2025-40116)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
The kthread_run() function returns error pointers so the
max3421_hcd->spi_thread pointer can be either error pointers or NULL.
Check for both before dereferencing it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 Version: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 Version: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 Version: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 Version: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 Version: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 Version: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 Version: 05dfa5c9bc37933181b619e42ec0eeb41ef31362 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/max3421-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89838fe5c6c010ff8d3924f22afd9c18c5c95310",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "3facf69a735e730ae36387f18780fe420708aa91",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "e0e0ce06f3571be9b26790e4df56ba37b1de8543",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "3723c3dda1cc82c9bbca08fcbd46705a361bfd56",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "b0439e3762ac9ea580f714e1504a1827d1ad32f5",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "b682ce44bf20ada752a2f6ce70d5a575c56f6a35",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
},
{
"lessThan": "186e8f2bdba551f3ae23396caccd452d985c23e3",
"status": "affected",
"version": "05dfa5c9bc37933181b619e42ec0eeb41ef31362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/max3421-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: max3421-hcd: Fix error pointer dereference in probe cleanup\n\nThe kthread_run() function returns error pointers so the\nmax3421_hcd-\u003espi_thread pointer can be either error pointers or NULL.\nCheck for both before dereferencing it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:19.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89838fe5c6c010ff8d3924f22afd9c18c5c95310"
},
{
"url": "https://git.kernel.org/stable/c/3facf69a735e730ae36387f18780fe420708aa91"
},
{
"url": "https://git.kernel.org/stable/c/e0e0ce06f3571be9b26790e4df56ba37b1de8543"
},
{
"url": "https://git.kernel.org/stable/c/3723c3dda1cc82c9bbca08fcbd46705a361bfd56"
},
{
"url": "https://git.kernel.org/stable/c/b0439e3762ac9ea580f714e1504a1827d1ad32f5"
},
{
"url": "https://git.kernel.org/stable/c/e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc"
},
{
"url": "https://git.kernel.org/stable/c/b682ce44bf20ada752a2f6ce70d5a575c56f6a35"
},
{
"url": "https://git.kernel.org/stable/c/186e8f2bdba551f3ae23396caccd452d985c23e3"
}
],
"title": "usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40116",
"datePublished": "2025-11-12T10:23:17.569Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:19.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71096 (GCVE-0-2025-71096)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a
LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
Use the nl parsing logic properly and call nla_parse_deprecated() to fill
the nlattrs array and then directly index that array to get the data for
the DGID. Just fail if it is NULL.
Remove the for loop searching for the nla, and squash the validation and
parsing into one function.
Fixes an uninitialized read from the stack triggered by userspace if it
does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE
query.
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
hex_byte_pack include/linux/hex.h:13 [inline]
ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
_printk+0x17e/0x1b0 kernel/printk/printk.c:2475
ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
__sys_sendmsg+0x1aa/0x300 net/socket.c:2703
__compat_sys_sendmsg net/compat.c:346 [inline]
__do_compat_sys_sendmsg net/compat.c:353 [inline]
__se_compat_sys_sendmsg net/compat.c:350 [inline]
__ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ae43f8286730d1f2d241c34601df59f6d2286ac4 Version: ae43f8286730d1f2d241c34601df59f6d2286ac4 Version: ae43f8286730d1f2d241c34601df59f6d2286ac4 Version: ae43f8286730d1f2d241c34601df59f6d2286ac4 Version: ae43f8286730d1f2d241c34601df59f6d2286ac4 Version: ae43f8286730d1f2d241c34601df59f6d2286ac4 Version: ae43f8286730d1f2d241c34601df59f6d2286ac4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "376f46c8983458ead26cac83aa897a0b78491831",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "bfe10318fc23e0b3f1d0a18dad387d29473a624d",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "45532638de5da24c201aa2a9b3dd4b054064de7b",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "9d85524789c2f17c0e87de8d596bcccc3683a1fc",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "0b948afc1ded88b3562c893114387f34389eeb94",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "a7b8e876e0ef0232b8076972c57ce9a7286b47ca",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly\n\nThe netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a\nLS_NLA_TYPE_DGID attribute, it is invalid if it does not.\n\nUse the nl parsing logic properly and call nla_parse_deprecated() to fill\nthe nlattrs array and then directly index that array to get the data for\nthe DGID. Just fail if it is NULL.\n\nRemove the for loop searching for the nla, and squash the validation and\nparsing into one function.\n\nFixes an uninitialized read from the stack triggered by userspace if it\ndoes not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE\nquery.\n\n BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]\n BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n hex_byte_pack include/linux/hex.h:13 [inline]\n ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509\n ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633\n pointer+0xc09/0x1bd0 lib/vsprintf.c:2542\n vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930\n vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279\n vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426\n vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465\n vprintk+0x36/0x50 kernel/printk/printk_safe.c:82\n _printk+0x17e/0x1b0 kernel/printk/printk.c:2475\n ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]\n ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141\n rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x333/0x3d0 net/socket.c:729\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671\n __sys_sendmsg+0x1aa/0x300 net/socket.c:2703\n __compat_sys_sendmsg net/compat.c:346 [inline]\n __do_compat_sys_sendmsg net/compat.c:353 [inline]\n __se_compat_sys_sendmsg net/compat.c:350 [inline]\n __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350\n ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:48.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831"
},
{
"url": "https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d"
},
{
"url": "https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b"
},
{
"url": "https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc"
},
{
"url": "https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec"
},
{
"url": "https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94"
},
{
"url": "https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca"
}
],
"title": "RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71096",
"datePublished": "2026-01-13T15:34:56.118Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:48.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40283 (GCVE-0-2025-40283)
Vulnerability from cvelistv5
Published
2025-12-06 21:51
Modified
2025-12-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
There is a KASAN: slab-use-after-free read in btusb_disconnect().
Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will
free the btusb data associated with the interface. The same data is
then used later in the function, hence the UAF.
Fix by moving the accesses to btusb data to before the data is free'd.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "297dbf87989e09af98f81f2bcb938041785557e8",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "f858f004bc343a7ae9f2533bbb2a3ab27428532f",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "7a6d1e740220ff9dfcb6a8c994d6ba49e76db198",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "5dc00065a0496c36694afe11e52a5bc64524a9b8",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "1c28c1e1522c773a94e26950ffb145e88cd9834b",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "a2610ecd9fd5708be8997ca8f033e4200c0bb6af",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "23d22f2f71768034d6ef86168213843fc49bf550",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF\n\nThere is a KASAN: slab-use-after-free read in btusb_disconnect().\nCalling \"usb_driver_release_interface(\u0026btusb_driver, data-\u003eintf)\" will\nfree the btusb data associated with the interface. The same data is\nthen used later in the function, hence the UAF.\n\nFix by moving the accesses to btusb data to before the data is free\u0027d."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:07.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8"
},
{
"url": "https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f"
},
{
"url": "https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198"
},
{
"url": "https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8"
},
{
"url": "https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b"
},
{
"url": "https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d"
},
{
"url": "https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af"
},
{
"url": "https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550"
}
],
"title": "Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40283",
"datePublished": "2025-12-06T21:51:07.409Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:07.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23087 (GCVE-0-2026-23087)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
Memory allocated for struct vscsiblk_info in scsiback_probe() is not
freed in scsiback_remove() leading to potential memory leaks on remove,
as well as in the scsiback_probe() error paths. Fix that by freeing it
in scsiback_remove().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d9d660f6e562a47b4065eeb7e538910b0471b988 Version: d9d660f6e562a47b4065eeb7e538910b0471b988 Version: d9d660f6e562a47b4065eeb7e538910b0471b988 Version: d9d660f6e562a47b4065eeb7e538910b0471b988 Version: d9d660f6e562a47b4065eeb7e538910b0471b988 Version: d9d660f6e562a47b4065eeb7e538910b0471b988 Version: d9d660f6e562a47b4065eeb7e538910b0471b988 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/xen-scsiback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "427b0fb30ddec3bad05dcd73b00718f98c7026d2",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "4a975c72429b050c234405668b742cdecc11548e",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "f86264ec0e2b102fcd49bf3e4f32fee669d482fc",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "32e52b56056daf0f0881fd9254706acf25b4be97",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "24c441f0e24da175d7912095663f526ac480dc4f",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "901a5f309daba412e2a30364d7ec1492fa11c32c",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/xen-scsiback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: xen: scsiback: Fix potential memory leak in scsiback_remove()\n\nMemory allocated for struct vscsiblk_info in scsiback_probe() is not\nfreed in scsiback_remove() leading to potential memory leaks on remove,\nas well as in the scsiback_probe() error paths. Fix that by freeing it\nin scsiback_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:27.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9"
},
{
"url": "https://git.kernel.org/stable/c/427b0fb30ddec3bad05dcd73b00718f98c7026d2"
},
{
"url": "https://git.kernel.org/stable/c/4a975c72429b050c234405668b742cdecc11548e"
},
{
"url": "https://git.kernel.org/stable/c/f86264ec0e2b102fcd49bf3e4f32fee669d482fc"
},
{
"url": "https://git.kernel.org/stable/c/32e52b56056daf0f0881fd9254706acf25b4be97"
},
{
"url": "https://git.kernel.org/stable/c/24c441f0e24da175d7912095663f526ac480dc4f"
},
{
"url": "https://git.kernel.org/stable/c/901a5f309daba412e2a30364d7ec1492fa11c32c"
}
],
"title": "scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23087",
"datePublished": "2026-02-04T16:08:10.941Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-02-09T08:38:27.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23128 (GCVE-0-2026-23128)
Vulnerability from cvelistv5
Published
2026-02-14 15:09
Modified
2026-02-16 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: Set __nocfi on swsusp_arch_resume()
A DABT is reported[1] on an android based system when resume from hiberate.
This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()
and does not have a CFI hash, but swsusp_arch_resume() will attempt to
verify the CFI hash when calling a copy of swsusp_arch_suspend_exit().
Given that there's an existing requirement that the entrypoint to
swsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text
section, we cannot fix this by marking swsusp_arch_suspend_exit() with
SYM_FUNC_*(). The simplest fix for now is to disable the CFI check in
swsusp_arch_resume().
Mark swsusp_arch_resume() as __nocfi to disable the CFI check.
[1]
[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc
[ 22.991934][ T1] Mem abort info:
[ 22.991934][ T1] ESR = 0x0000000096000007
[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits
[ 22.991934][ T1] SET = 0, FnV = 0
[ 22.991934][ T1] EA = 0, S1PTW = 0
[ 22.991934][ T1] FSC = 0x07: level 3 translation fault
[ 22.991934][ T1] Data abort info:
[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper
[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
[ 22.991934][ T1] Dumping ftrace buffer:
[ 22.991934][ T1] (ftrace buffer empty)
[ 22.991934][ T1] Modules linked in:
[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419
[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)
[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344
[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344
[ 22.991934][ T1] sp : ffffffc08006b960
[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000
[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820
[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000
[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058
[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004
[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000
[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000
[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b
[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530
[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000
[ 22.991934][ T1] Call trace:
[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344
[ 22.991934][ T1] hibernation_restore+0x158/0x18c
[ 22.991934][ T1] load_image_and_restore+0xb0/0xec
[ 22.991934][ T1] software_resume+0xf4/0x19c
[ 22.991934][ T1] software_resume_initcall+0x34/0x78
[ 22.991934][ T1] do_one_initcall+0xe8/0x370
[ 22.991934][ T1] do_initcall_level+0xc8/0x19c
[ 22.991934][ T1] do_initcalls+0x70/0xc0
[ 22.991934][ T1] do_basic_setup+0x1c/0x28
[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148
[ 22.991934][ T1] kernel_init+0x20/0x1a8
[ 22.991934][ T1] ret_from_fork+0x10/0x20
[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)
[catalin.marinas@arm.com: commit log updated by Mark Rutland]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/hibernate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "122b7cb80f7d468fcc2d18cf7eb320f09f310a96",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "8557bdd9af8dd04911fba56ff92b17842b0b5c7f",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "9773a886f26766a8db92d4b342b620a82c2de7dd",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "6e32070d29d1a35d8f4b3c03babf6c0e5efd1d08",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "e2f8216ca2d8e61a23cb6ec355616339667e0ba6",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/hibernate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Set __nocfi on swsusp_arch_resume()\n\nA DABT is reported[1] on an android based system when resume from hiberate.\nThis happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()\nand does not have a CFI hash, but swsusp_arch_resume() will attempt to\nverify the CFI hash when calling a copy of swsusp_arch_suspend_exit().\n\nGiven that there\u0027s an existing requirement that the entrypoint to\nswsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text\nsection, we cannot fix this by marking swsusp_arch_suspend_exit() with\nSYM_FUNC_*(). The simplest fix for now is to disable the CFI check in\nswsusp_arch_resume().\n\nMark swsusp_arch_resume() as __nocfi to disable the CFI check.\n\n[1]\n[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc\n[ 22.991934][ T1] Mem abort info:\n[ 22.991934][ T1] ESR = 0x0000000096000007\n[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 22.991934][ T1] SET = 0, FnV = 0\n[ 22.991934][ T1] EA = 0, S1PTW = 0\n[ 22.991934][ T1] FSC = 0x07: level 3 translation fault\n[ 22.991934][ T1] Data abort info:\n[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper\n[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP\n[ 22.991934][ T1] Dumping ftrace buffer:\n[ 22.991934][ T1] (ftrace buffer empty)\n[ 22.991934][ T1] Modules linked in:\n[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419\n[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)\n[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344\n[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344\n[ 22.991934][ T1] sp : ffffffc08006b960\n[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000\n[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820\n[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000\n[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058\n[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004\n[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000\n[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000\n[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b\n[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530\n[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000\n[ 22.991934][ T1] Call trace:\n[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344\n[ 22.991934][ T1] hibernation_restore+0x158/0x18c\n[ 22.991934][ T1] load_image_and_restore+0xb0/0xec\n[ 22.991934][ T1] software_resume+0xf4/0x19c\n[ 22.991934][ T1] software_resume_initcall+0x34/0x78\n[ 22.991934][ T1] do_one_initcall+0xe8/0x370\n[ 22.991934][ T1] do_initcall_level+0xc8/0x19c\n[ 22.991934][ T1] do_initcalls+0x70/0xc0\n[ 22.991934][ T1] do_basic_setup+0x1c/0x28\n[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148\n[ 22.991934][ T1] kernel_init+0x20/0x1a8\n[ 22.991934][ T1] ret_from_fork+0x10/0x20\n[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)\n\n[catalin.marinas@arm.com: commit log updated by Mark Rutland]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:49.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/122b7cb80f7d468fcc2d18cf7eb320f09f310a96"
},
{
"url": "https://git.kernel.org/stable/c/8557bdd9af8dd04911fba56ff92b17842b0b5c7f"
},
{
"url": "https://git.kernel.org/stable/c/9773a886f26766a8db92d4b342b620a82c2de7dd"
},
{
"url": "https://git.kernel.org/stable/c/6e32070d29d1a35d8f4b3c03babf6c0e5efd1d08"
},
{
"url": "https://git.kernel.org/stable/c/e2f8216ca2d8e61a23cb6ec355616339667e0ba6"
}
],
"title": "arm64: Set __nocfi on swsusp_arch_resume()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23128",
"datePublished": "2026-02-14T15:09:56.916Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-16T08:58:49.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23085 (GCVE-0-2026-23085)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3-its: Avoid truncating memory addresses
On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem
allocations to be backed by addresses physical memory above the 32-bit
address limit, as found while experimenting with larger VMSPLIT
configurations.
This caused the qemu virt model to crash in the GICv3 driver, which
allocates the 'itt' object using GFP_KERNEL. Since all memory below
the 4GB physical address limit is in ZONE_DMA in this configuration,
kmalloc() defaults to higher addresses for ZONE_NORMAL, and the
ITS driver stores the physical address in a 32-bit 'unsigned long'
variable.
Change the itt_addr variable to the correct phys_addr_t type instead,
along with all other variables in this driver that hold a physical
address.
The gicv5 driver correctly uses u64 variables, while all other irqchip
drivers don't call virt_to_phys or similar interfaces. It's expected that
other device drivers have similar issues, but fixing this one is
sufficient for booting a virtio based guest.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e Version: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e Version: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e Version: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e Version: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e Version: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e Version: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e332b3b69e5b3acf07204a4b185071bab15c2b88",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "e2f9c751f73a2d5bb62d94ab030aec118a811f27",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "85215d633983233809f7d4dad163b953331b8238",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "1b323391560354d8c515de8658b057a1daa82adb",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "084ba3b99f2dfd991ce7e84fb17117319ec3cd9f",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "8d76a7d89c12d08382b66e2f21f20d0627d14859",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Avoid truncating memory addresses\n\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\nallocations to be backed by addresses physical memory above the 32-bit\naddress limit, as found while experimenting with larger VMSPLIT\nconfigurations.\n\nThis caused the qemu virt model to crash in the GICv3 driver, which\nallocates the \u0027itt\u0027 object using GFP_KERNEL. Since all memory below\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\nITS driver stores the physical address in a 32-bit \u0027unsigned long\u0027\nvariable.\n\nChange the itt_addr variable to the correct phys_addr_t type instead,\nalong with all other variables in this driver that hold a physical\naddress.\n\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\ndrivers don\u0027t call virt_to_phys or similar interfaces. It\u0027s expected that\nother device drivers have similar issues, but fixing this one is\nsufficient for booting a virtio based guest."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:25.150Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88"
},
{
"url": "https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27"
},
{
"url": "https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238"
},
{
"url": "https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb"
},
{
"url": "https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f"
},
{
"url": "https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98"
},
{
"url": "https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859"
}
],
"title": "irqchip/gic-v3-its: Avoid truncating memory addresses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23085",
"datePublished": "2026-02-04T16:08:09.368Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-02-09T08:38:25.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53662 (GCVE-0-2023-53662)
Vulnerability from cvelistv5
Published
2025-10-07 15:21
Modified
2026-02-06 16:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
If the filename casefolding fails, we'll be leaking memory from the
fscrypt_name struct, namely from the 'crypto_buf.name' member.
Make sure we free it in the error path on both ext4_fname_setup_filename()
and ext4_fname_prepare_lookup() functions.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98fc9c2cc45cfcb56961a73de3ec69b474063fc0",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
},
{
"lessThan": "1fb3f1bbfdb511034b0360dbeb0f6a8424ed2a5c",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
},
{
"lessThan": "36daf050be3f6f067631dc52054de2d3b7cc849f",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
},
{
"lessThan": "7ca4b085f430f3774c3838b3da569ceccd6a0177",
"status": "affected",
"version": "1ae98e295fa2577fb5e492200c58d10230e00e99",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}\n\nIf the filename casefolding fails, we\u0027ll be leaking memory from the\nfscrypt_name struct, namely from the \u0027crypto_buf.name\u0027 member.\n\nMake sure we free it in the error path on both ext4_fname_setup_filename()\nand ext4_fname_prepare_lookup() functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:30:45.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98fc9c2cc45cfcb56961a73de3ec69b474063fc0"
},
{
"url": "https://git.kernel.org/stable/c/1fb3f1bbfdb511034b0360dbeb0f6a8424ed2a5c"
},
{
"url": "https://git.kernel.org/stable/c/36daf050be3f6f067631dc52054de2d3b7cc849f"
},
{
"url": "https://git.kernel.org/stable/c/7ca4b085f430f3774c3838b3da569ceccd6a0177"
}
],
"title": "ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53662",
"datePublished": "2025-10-07T15:21:21.703Z",
"dateReserved": "2025-10-07T15:16:59.662Z",
"dateUpdated": "2026-02-06T16:30:45.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68364 (GCVE-0-2025-68364)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just
to avoid crashing the whole kernel due to a filesystem corruption.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8f603e567aa7a243e68ca48b4f105b990851360f Version: 8f603e567aa7a243e68ca48b4f105b990851360f Version: 8f603e567aa7a243e68ca48b4f105b990851360f Version: 8f603e567aa7a243e68ca48b4f105b990851360f Version: 8f603e567aa7a243e68ca48b4f105b990851360f Version: 8f603e567aa7a243e68ca48b4f105b990851360f Version: 8f603e567aa7a243e68ca48b4f105b990851360f Version: 8f603e567aa7a243e68ca48b4f105b990851360f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb34a55f552960c74e26b3699c84745b96e3131a",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "08b93c1c12c66989316883d733475c64d14de5d2",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "1ad2f81a099b8df5f72bce0a3e9f531263a846b8",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "bcb94288d95cfc52f4d7cead260f4db54c8c741a",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "e5c2503696ec2e0dc7b2aee902dc859ccde39ddf",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "7abbe41d22a06aae00fd46d29f59dd40a01e988f",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "e5c52c320577cd405b251943ef77842dc6f303bf",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
},
{
"lessThan": "8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d",
"status": "affected",
"version": "8f603e567aa7a243e68ca48b4f105b990851360f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()\n\nIn \u0027__ocfs2_move_extent()\u0027, relax \u0027BUG()\u0027 to \u0027ocfs2_error()\u0027 just\nto avoid crashing the whole kernel due to a filesystem corruption."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:00.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb34a55f552960c74e26b3699c84745b96e3131a"
},
{
"url": "https://git.kernel.org/stable/c/08b93c1c12c66989316883d733475c64d14de5d2"
},
{
"url": "https://git.kernel.org/stable/c/1ad2f81a099b8df5f72bce0a3e9f531263a846b8"
},
{
"url": "https://git.kernel.org/stable/c/bcb94288d95cfc52f4d7cead260f4db54c8c741a"
},
{
"url": "https://git.kernel.org/stable/c/e5c2503696ec2e0dc7b2aee902dc859ccde39ddf"
},
{
"url": "https://git.kernel.org/stable/c/7abbe41d22a06aae00fd46d29f59dd40a01e988f"
},
{
"url": "https://git.kernel.org/stable/c/e5c52c320577cd405b251943ef77842dc6f303bf"
},
{
"url": "https://git.kernel.org/stable/c/8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d"
}
],
"title": "ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68364",
"datePublished": "2025-12-24T10:32:51.922Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-02-09T08:32:00.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40345 (GCVE-0-2025-40345)
Vulnerability from cvelistv5
Published
2025-12-12 17:53
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: storage: sddr55: Reject out-of-bound new_pba
Discovered by Atuin - Automated Vulnerability Discovery Engine.
new_pba comes from the status packet returned after each write.
A bogus device could report values beyond the block count derived
from info->capacity, letting the driver walk off the end of
pba_to_lba[] and corrupt heap memory.
Reject PBAs that exceed the computed block count and fail the
transfer so we avoid touching out-of-range mapping entries.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/sddr55.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d00a6c04a502cd52425dbf35588732c652b16490",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "26e9b5da3231da7dc357b363883b5b7b51a64092",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aa64e0e17e3a5991a25e6a46007770c629039869",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "04a8a6393f3f2f471e05eacca33282dd30b01432",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5ebe8d479aaf4f41ac35e6955332304193c646f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b59d4fda7e7d0aff1043a7f742487cb829f5aac1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/sddr55.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: storage: sddr55: Reject out-of-bound new_pba\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nnew_pba comes from the status packet returned after each write.\nA bogus device could report values beyond the block count derived\nfrom info-\u003ecapacity, letting the driver walk off the end of\npba_to_lba[] and corrupt heap memory.\n\nReject PBAs that exceed the computed block count and fail the\ntransfer so we avoid touching out-of-range mapping entries."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:43.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d00a6c04a502cd52425dbf35588732c652b16490"
},
{
"url": "https://git.kernel.org/stable/c/26e9b5da3231da7dc357b363883b5b7b51a64092"
},
{
"url": "https://git.kernel.org/stable/c/aa64e0e17e3a5991a25e6a46007770c629039869"
},
{
"url": "https://git.kernel.org/stable/c/04a8a6393f3f2f471e05eacca33282dd30b01432"
},
{
"url": "https://git.kernel.org/stable/c/a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f"
},
{
"url": "https://git.kernel.org/stable/c/5ebe8d479aaf4f41ac35e6955332304193c646f6"
},
{
"url": "https://git.kernel.org/stable/c/b59d4fda7e7d0aff1043a7f742487cb829f5aac1"
}
],
"title": "usb: storage: sddr55: Reject out-of-bound new_pba",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40345",
"datePublished": "2025-12-12T17:53:06.853Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:43.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71083 (GCVE-0-2025-71083)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Avoid NULL pointer deref for evicted BOs
It is possible for a BO to exist that is not currently associated with a
resource, e.g. because it has been evicted.
When devcoredump tries to read the contents of all BOs for dumping, we need
to expect this as well -- in this case, ENODATA is recorded instead of the
buffer contents.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 09ac4fcb3f255e9225967c75f5893325c116cdbe Version: 09ac4fcb3f255e9225967c75f5893325c116cdbe Version: 09ac4fcb3f255e9225967c75f5893325c116cdbe Version: 09ac4fcb3f255e9225967c75f5893325c116cdbe Version: 09ac4fcb3f255e9225967c75f5893325c116cdbe Version: 09ac4fcb3f255e9225967c75f5893325c116cdbe |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47a85604a761005d255ae38115ee630cc6931756",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "4b9944493c6d92d7b29cfd83aaf3deb842b8da79",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "3d004f7341d4898889801ebb2ef61ffca610dd6f",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "b94182b3d7228aec18d069cba56d5982e9bfe1b1",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "491adc6a0f9903c32b05f284df1148de39e8e644",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Avoid NULL pointer deref for evicted BOs\n\nIt is possible for a BO to exist that is not currently associated with a\nresource, e.g. because it has been evicted.\n\nWhen devcoredump tries to read the contents of all BOs for dumping, we need\nto expect this as well -- in this case, ENODATA is recorded instead of the\nbuffer contents."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:34.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756"
},
{
"url": "https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79"
},
{
"url": "https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f"
},
{
"url": "https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0"
},
{
"url": "https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1"
},
{
"url": "https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644"
}
],
"title": "drm/ttm: Avoid NULL pointer deref for evicted BOs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71083",
"datePublished": "2026-01-13T15:34:46.974Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:34.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68725 (GCVE-0-2025-68725)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Do not let BPF test infra emit invalid GSO types to stack
Yinhao et al. reported that their fuzzer tool was able to trigger a
skb_warn_bad_offload() from netif_skb_features() -> gso_features_check().
When a BPF program - triggered via BPF test infra - pushes the packet
to the loopback device via bpf_clone_redirect() then mentioned offload
warning can be seen. GSO-related features are then rightfully disabled.
We get into this situation due to convert___skb_to_skb() setting
gso_segs and gso_size but not gso_type. Technically, it makes sense
that this warning triggers since the GSO properties are malformed due
to the gso_type. Potentially, the gso_type could be marked non-trustworthy
through setting it at least to SKB_GSO_DODGY without any other specific
assumptions, but that also feels wrong given we should not go further
into the GSO engine in the first place.
The checks were added in 121d57af308d ("gso: validate gso_type in GSO
handlers") because there were malicious (syzbot) senders that combine
a protocol with a non-matching gso_type. If we would want to drop such
packets, gso_features_check() currently only returns feature flags via
netif_skb_features(), so one location for potentially dropping such skbs
could be validate_xmit_unreadable_skb(), but then otoh it would be
an additional check in the fast-path for a very corner case. Given
bpf_clone_redirect() is the only place where BPF test infra could emit
such packets, lets reject them right there.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 Version: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 Version: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 Version: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 Version: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 Version: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 Version: 850a88cc4096fe1df407452ba2e4d28cf5b3eee9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "e0ffb64a2d72c6705b4a4c9efef600409f7e98a0",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "768376ece7036ecb8604961793a1b72afe6345dd",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "8670b53b8ee91f028f7240531064020b7413c461",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "0f3a60869ca22024dfb9c6fce412b0c70cb4ea36",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "fbea4c63b5385588cb44ab21f91e55e33c719a54",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
},
{
"lessThan": "04a899573fb87273a656f178b5f920c505f68875",
"status": "affected",
"version": "850a88cc4096fe1df407452ba2e4d28cf5b3eee9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do not let BPF test infra emit invalid GSO types to stack\n\nYinhao et al. reported that their fuzzer tool was able to trigger a\nskb_warn_bad_offload() from netif_skb_features() -\u003e gso_features_check().\nWhen a BPF program - triggered via BPF test infra - pushes the packet\nto the loopback device via bpf_clone_redirect() then mentioned offload\nwarning can be seen. GSO-related features are then rightfully disabled.\n\nWe get into this situation due to convert___skb_to_skb() setting\ngso_segs and gso_size but not gso_type. Technically, it makes sense\nthat this warning triggers since the GSO properties are malformed due\nto the gso_type. Potentially, the gso_type could be marked non-trustworthy\nthrough setting it at least to SKB_GSO_DODGY without any other specific\nassumptions, but that also feels wrong given we should not go further\ninto the GSO engine in the first place.\n\nThe checks were added in 121d57af308d (\"gso: validate gso_type in GSO\nhandlers\") because there were malicious (syzbot) senders that combine\na protocol with a non-matching gso_type. If we would want to drop such\npackets, gso_features_check() currently only returns feature flags via\nnetif_skb_features(), so one location for potentially dropping such skbs\ncould be validate_xmit_unreadable_skb(), but then otoh it would be\nan additional check in the fast-path for a very corner case. Given\nbpf_clone_redirect() is the only place where BPF test infra could emit\nsuch packets, lets reject them right there."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:21.283Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb7902ed7d7f6d6a7c6c4dc25410d6127ce1085f"
},
{
"url": "https://git.kernel.org/stable/c/e0ffb64a2d72c6705b4a4c9efef600409f7e98a0"
},
{
"url": "https://git.kernel.org/stable/c/768376ece7036ecb8604961793a1b72afe6345dd"
},
{
"url": "https://git.kernel.org/stable/c/8670b53b8ee91f028f7240531064020b7413c461"
},
{
"url": "https://git.kernel.org/stable/c/0f3a60869ca22024dfb9c6fce412b0c70cb4ea36"
},
{
"url": "https://git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54"
},
{
"url": "https://git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875"
}
],
"title": "bpf: Do not let BPF test infra emit invalid GSO types to stack",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68725",
"datePublished": "2025-12-24T10:33:09.610Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-02-09T08:32:21.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23101 (GCVE-0-2026-23101)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
leds: led-class: Only Add LED to leds_list when it is fully ready
Before this change the LED was added to leds_list before led_init_core()
gets called adding it the list before led_classdev.set_brightness_work gets
initialized.
This leaves a window where led_trigger_register() of a LED's default
trigger will call led_trigger_set() which calls led_set_brightness()
which in turn will end up queueing the *uninitialized*
led_classdev.set_brightness_work.
This race gets hit by the lenovo-thinkpad-t14s EC driver which registers
2 LEDs with a default trigger provided by snd_ctl_led.ko in quick
succession. The first led_classdev_register() causes an async modprobe of
snd_ctl_led to run and that async modprobe manages to exactly hit
the window where the second LED is on the leds_list without led_init_core()
being called for it, resulting in:
------------[ cut here ]------------
WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390
Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025
...
Call trace:
__flush_work+0x344/0x390 (P)
flush_work+0x2c/0x50
led_trigger_set+0x1c8/0x340
led_trigger_register+0x17c/0x1c0
led_trigger_register_simple+0x84/0xe8
snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]
do_one_initcall+0x5c/0x318
do_init_module+0x9c/0x2b8
load_module+0x7e0/0x998
Close the race window by moving the adding of the LED to leds_list to
after the led_init_core() call.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d23a22a74fded23a12434c9463fe66cec2b0afcd Version: d23a22a74fded23a12434c9463fe66cec2b0afcd Version: d23a22a74fded23a12434c9463fe66cec2b0afcd Version: d23a22a74fded23a12434c9463fe66cec2b0afcd Version: d23a22a74fded23a12434c9463fe66cec2b0afcd Version: d23a22a74fded23a12434c9463fe66cec2b0afcd Version: d23a22a74fded23a12434c9463fe66cec2b0afcd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/leds/led-class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7a6df659af777058833802c29b3b7974db5e78a",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "d117fdcb21b05c0e0460261d017b92303cd9ba77",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "e90c861411fc84629a240384b0a72830539d3386",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "2757f7748ce2d0fa44112024907bafb37e104d6e",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "da565bf98c9ad0eabcb09fc97859e0b52f98b7c3",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "78822628165f3d817382f67f91129161159ca234",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "d1883cefd31752f0504b94c3bcfa1f6d511d6e87",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/leds/led-class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: led-class: Only Add LED to leds_list when it is fully ready\n\nBefore this change the LED was added to leds_list before led_init_core()\ngets called adding it the list before led_classdev.set_brightness_work gets\ninitialized.\n\nThis leaves a window where led_trigger_register() of a LED\u0027s default\ntrigger will call led_trigger_set() which calls led_set_brightness()\nwhich in turn will end up queueing the *uninitialized*\nled_classdev.set_brightness_work.\n\nThis race gets hit by the lenovo-thinkpad-t14s EC driver which registers\n2 LEDs with a default trigger provided by snd_ctl_led.ko in quick\nsuccession. The first led_classdev_register() causes an async modprobe of\nsnd_ctl_led to run and that async modprobe manages to exactly hit\nthe window where the second LED is on the leds_list without led_init_core()\nbeing called for it, resulting in:\n\n ------------[ cut here ]------------\n WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390\n Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025\n ...\n Call trace:\n __flush_work+0x344/0x390 (P)\n flush_work+0x2c/0x50\n led_trigger_set+0x1c8/0x340\n led_trigger_register+0x17c/0x1c0\n led_trigger_register_simple+0x84/0xe8\n snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]\n do_one_initcall+0x5c/0x318\n do_init_module+0x9c/0x2b8\n load_module+0x7e0/0x998\n\nClose the race window by moving the adding of the LED to leds_list to\nafter the led_init_core() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:42.041Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a"
},
{
"url": "https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77"
},
{
"url": "https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386"
},
{
"url": "https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e"
},
{
"url": "https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3"
},
{
"url": "https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234"
},
{
"url": "https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87"
}
],
"title": "leds: led-class: Only Add LED to leds_list when it is fully ready",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23101",
"datePublished": "2026-02-04T16:08:23.329Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-02-09T08:38:42.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68807 (GCVE-0-2025-68807)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix race between wbt_enable_default and IO submission
When wbt_enable_default() is moved out of queue freezing in elevator_change(),
it can cause the wbt inflight counter to become negative (-1), leading to hung
tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter
is in an inconsistent state.
The issue occurs because wbt_enable_default() could race with IO submission,
allowing the counter to be decremented before proper initialization. This manifests
as:
rq_wait[0]:
inflight: -1
has_waiters: True
rwb_enabled() checks the state, which can be updated exactly between wbt_wait()
(rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter
will become negative.
And results in hung task warnings like:
task:kworker/u24:39 state:D stack:0 pid:14767
Call Trace:
rq_qos_wait+0xb4/0x150
wbt_wait+0xa9/0x100
__rq_qos_throttle+0x24/0x40
blk_mq_submit_bio+0x672/0x7b0
...
Fix this by:
1. Splitting wbt_enable_default() into:
- __wbt_enable_default(): Returns true if wbt_init() should be called
- wbt_enable_default(): Wrapper for existing callers (no init)
- wbt_init_enable_default(): New function that checks and inits WBT
2. Using wbt_init_enable_default() in blk_register_queue() to ensure
proper initialization during queue registration
3. Move wbt_init() out of wbt_enable_default() which is only for enabling
disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the
original lock warning can be avoided.
4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling
code since it's no longer needed
This ensures WBT is properly initialized before any IO can be submitted,
preventing the counter from going negative.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c",
"block/blk-sysfs.c",
"block/blk-wbt.c",
"block/blk-wbt.h",
"block/elevator.c",
"block/elevator.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f55201fb3becff6a903fd29f4d1147cc7e91eb0c",
"status": "affected",
"version": "78c271344b6f64ce24c845e54903e09928cf2061",
"versionType": "git"
},
{
"lessThan": "9869d3a6fed381f3b98404e26e1afc75d680cbf9",
"status": "affected",
"version": "78c271344b6f64ce24c845e54903e09928cf2061",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c",
"block/blk-sysfs.c",
"block/blk-wbt.c",
"block/blk-wbt.h",
"block/elevator.c",
"block/elevator.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix race between wbt_enable_default and IO submission\n\nWhen wbt_enable_default() is moved out of queue freezing in elevator_change(),\nit can cause the wbt inflight counter to become negative (-1), leading to hung\ntasks in the writeback path. Tasks get stuck in wbt_wait() because the counter\nis in an inconsistent state.\n\nThe issue occurs because wbt_enable_default() could race with IO submission,\nallowing the counter to be decremented before proper initialization. This manifests\nas:\n\n rq_wait[0]:\n inflight: -1\n has_waiters: True\n\nrwb_enabled() checks the state, which can be updated exactly between wbt_wait()\n(rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter\nwill become negative.\n\nAnd results in hung task warnings like:\n task:kworker/u24:39 state:D stack:0 pid:14767\n Call Trace:\n rq_qos_wait+0xb4/0x150\n wbt_wait+0xa9/0x100\n __rq_qos_throttle+0x24/0x40\n blk_mq_submit_bio+0x672/0x7b0\n ...\n\nFix this by:\n\n1. Splitting wbt_enable_default() into:\n - __wbt_enable_default(): Returns true if wbt_init() should be called\n - wbt_enable_default(): Wrapper for existing callers (no init)\n - wbt_init_enable_default(): New function that checks and inits WBT\n\n2. Using wbt_init_enable_default() in blk_register_queue() to ensure\n proper initialization during queue registration\n\n3. Move wbt_init() out of wbt_enable_default() which is only for enabling\n disabled wbt from bfq and iocost, and wbt_init() isn\u0027t needed. Then the\n original lock warning can be avoided.\n\n4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling\n code since it\u0027s no longer needed\n\nThis ensures WBT is properly initialized before any IO can be submitted,\npreventing the counter from going negative."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:56.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c"
},
{
"url": "https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9"
}
],
"title": "block: fix race between wbt_enable_default and IO submission",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68807",
"datePublished": "2026-01-13T15:29:14.483Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:56.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39968 (GCVE-0-2025-39968)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: add max boundary check for VF filters
There is no check for max filters that VF can request. Add it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9176e18681cb0d34c5acc87bda224f5652af2ab8",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "e490d8c5a54e0dd1ab22417d72c3a7319cf0f030",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "77a35be582dff4c80442ebcdce24d45eed8a6ce4",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "02aae5fcdd34c3a55a243d80a1b328a35852a35c",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "edecce7abd7152b48e279b4fa0a883d1839bb577",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "d33e5d6631ac4fddda235a7815babc9d3f124299",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "8b13df5aa877b9e4541e301a58a84c42d84d2d9a",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "cb79fa7118c150c3c76a327894bb2eb878c02619",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add max boundary check for VF filters\n\nThere is no check for max filters that VF can request. Add it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:52.272Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9176e18681cb0d34c5acc87bda224f5652af2ab8"
},
{
"url": "https://git.kernel.org/stable/c/e490d8c5a54e0dd1ab22417d72c3a7319cf0f030"
},
{
"url": "https://git.kernel.org/stable/c/77a35be582dff4c80442ebcdce24d45eed8a6ce4"
},
{
"url": "https://git.kernel.org/stable/c/02aae5fcdd34c3a55a243d80a1b328a35852a35c"
},
{
"url": "https://git.kernel.org/stable/c/edecce7abd7152b48e279b4fa0a883d1839bb577"
},
{
"url": "https://git.kernel.org/stable/c/d33e5d6631ac4fddda235a7815babc9d3f124299"
},
{
"url": "https://git.kernel.org/stable/c/8b13df5aa877b9e4541e301a58a84c42d84d2d9a"
},
{
"url": "https://git.kernel.org/stable/c/cb79fa7118c150c3c76a327894bb2eb878c02619"
}
],
"title": "i40e: add max boundary check for VF filters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39968",
"datePublished": "2025-10-15T07:55:52.272Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:52.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22022 (GCVE-0-2025-22022)
Vulnerability from cvelistv5
Published
2025-04-16 10:23
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Two clearly different specimens of NEC uPD720200 (one with start/stop
bug, one without) were seen to cause IOMMU faults after some Missed
Service Errors. Faulting address is immediately after a transfer ring
segment and patched dynamic debug messages revealed that the MSE was
received when waiting for a TD near the end of that segment:
[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0
[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]
[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]
It gets even funnier if the next page is a ring segment accessible to
the HC. Below, it reports MSE in segment at ff1e8000, plows through a
zero-filled page at ff1e9000 and starts reporting events for TRBs in
page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.
[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.
[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
At some point completion events change from Isoch Buffer Overrun to
Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.
[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2
It's possible that data from the isochronous device were written to
random buffers of pending TDs on other endpoints (either IN or OUT),
other devices or even other HCs in the same IOMMU domain.
Lastly, an error from a different USB device on another HC. Was it
caused by the above? I don't know, but it may have been. The disk
was working without any other issues and generated PCIe traffic to
starve the NEC of upstream BW and trigger those MSEs. The two HCs
shared one x1 slot by means of a commercial "PCIe splitter" board.
[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd
[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s
[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00
[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0
Fortunately, it appears that this ridiculous bug is avoided by setting
the chain bit of Link TRBs on isochronous rings. Other ancient HCs are
known which also expect the bit to be set and they ignore Link TRBs if
it's not. Reportedly, 0.95 spec guaranteed that the bit is set.
The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports
tens of MSEs per second and runs into the bug within seconds. Chaining
Link TRBs allows the same workload to run for many minutes, many times.
No ne
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7e393a834b41001174a8fb3ae3bc23a749467760 Version: 7e393a834b41001174a8fb3ae3bc23a749467760 Version: 7e393a834b41001174a8fb3ae3bc23a749467760 Version: 7e393a834b41001174a8fb3ae3bc23a749467760 Version: 7e393a834b41001174a8fb3ae3bc23a749467760 Version: 7e393a834b41001174a8fb3ae3bc23a749467760 Version: 7e393a834b41001174a8fb3ae3bc23a749467760 Version: 7e393a834b41001174a8fb3ae3bc23a749467760 Version: 5c7a6982e976b381595c9d4ee8e8c94564a40aec Version: f12ea4a8ca7009fa2d54794c3fcb8e638453bcff |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abf2df229b6a9172cc1827749c1a446d28e00a2e",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "8b586de6f03c850ff48d42e539b4708d1f3f8f1a",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "1143f790a6316201dc8f067eba4c94ea97ecb6ca",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "dbf427663ce272070d3004b5fca63a4a537d781c",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "a4931d9fb99eb5462f3eaa231999d279c40afb21",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "43a18225150ce874d23b37761c302a5dffee1595",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "061a1683bae6ef56ab8fa392725ba7495515cd1d",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"lessThan": "bb0ba4cb1065e87f9cc75db1fa454e56d0894d01",
"status": "affected",
"version": "7e393a834b41001174a8fb3ae3bc23a749467760",
"versionType": "git"
},
{
"status": "affected",
"version": "5c7a6982e976b381595c9d4ee8e8c94564a40aec",
"versionType": "git"
},
{
"status": "affected",
"version": "f12ea4a8ca7009fa2d54794c3fcb8e638453bcff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.22",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.10",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.1",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt\u0027s possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don\u0027t know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial \"PCIe splitter\" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit\u0027s not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:53.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abf2df229b6a9172cc1827749c1a446d28e00a2e"
},
{
"url": "https://git.kernel.org/stable/c/8b586de6f03c850ff48d42e539b4708d1f3f8f1a"
},
{
"url": "https://git.kernel.org/stable/c/1143f790a6316201dc8f067eba4c94ea97ecb6ca"
},
{
"url": "https://git.kernel.org/stable/c/dbf427663ce272070d3004b5fca63a4a537d781c"
},
{
"url": "https://git.kernel.org/stable/c/a4931d9fb99eb5462f3eaa231999d279c40afb21"
},
{
"url": "https://git.kernel.org/stable/c/43a18225150ce874d23b37761c302a5dffee1595"
},
{
"url": "https://git.kernel.org/stable/c/061a1683bae6ef56ab8fa392725ba7495515cd1d"
},
{
"url": "https://git.kernel.org/stable/c/bb0ba4cb1065e87f9cc75db1fa454e56d0894d01"
}
],
"title": "usb: xhci: Apply the link chain quirk on NEC isoc endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22022",
"datePublished": "2025-04-16T10:23:27.423Z",
"dateReserved": "2024-12-29T08:45:45.807Z",
"dateUpdated": "2026-01-19T12:17:53.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23003 (GCVE-0-2026-23003)
Vulnerability from cvelistv5
Published
2026-01-25 14:36
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
Blamed commit did not take care of VLAN encapsulations
as spotted by syzbot [1].
Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
[1]
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
__INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
__ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:318 [inline]
ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
__netif_receive_skb_one_core net/core/dev.c:6139 [inline]
__netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
netif_receive_skb_internal net/core/dev.c:6338 [inline]
netif_receive_skb+0x57/0x630 net/core/dev.c:6397
tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4960 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
__alloc_skb+0x805/0x1040 net/core/skbuff.c:690
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
tun_alloc_skb drivers/net/tun.c:1461 [inline]
tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a9bc32879a08f23cdb80a48c738017e39aea1080 Version: af6b5c50d47ab43e5272ad61935d0ed2e264d3f0 Version: d54e4da98bbfa8c257bdca94c49652d81d18a4d8 Version: 350a6640fac4b53564ec20aa3f4a0922cb0ba5e6 Version: 8d975c15c0cd744000ca386247432d57b21f9df0 Version: 8d975c15c0cd744000ca386247432d57b21f9df0 Version: 8d975c15c0cd744000ca386247432d57b21f9df0 Version: c835df3bcc14858ae9b27315dd7de76370b94f3a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9c5c5b791d3850570796f9e067629474e613796",
"status": "affected",
"version": "a9bc32879a08f23cdb80a48c738017e39aea1080",
"versionType": "git"
},
{
"lessThan": "64c71d60a21a9ed0a802483dcd422b5b24eb1abe",
"status": "affected",
"version": "af6b5c50d47ab43e5272ad61935d0ed2e264d3f0",
"versionType": "git"
},
{
"lessThan": "9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af",
"status": "affected",
"version": "d54e4da98bbfa8c257bdca94c49652d81d18a4d8",
"versionType": "git"
},
{
"lessThan": "2f03dafea0a8096a2eb60f551218b360e5bab9a3",
"status": "affected",
"version": "350a6640fac4b53564ec20aa3f4a0922cb0ba5e6",
"versionType": "git"
},
{
"lessThan": "df5ffde9669314500809bc498ae73d6d3d9519ac",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"lessThan": "b9f915340f25cae1562f18e1eb52deafca328414",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"lessThan": "81c734dae203757fb3c9eee6f9896386940776bd",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"status": "affected",
"version": "c835df3bcc14858ae9b27315dd7de76370b94f3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\n\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\n\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n netif_receive_skb_internal net/core/dev.c:6338 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4960 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n tun_alloc_skb drivers/net/tun.c:1461 [inline]\n tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:55.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9c5c5b791d3850570796f9e067629474e613796"
},
{
"url": "https://git.kernel.org/stable/c/64c71d60a21a9ed0a802483dcd422b5b24eb1abe"
},
{
"url": "https://git.kernel.org/stable/c/9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af"
},
{
"url": "https://git.kernel.org/stable/c/2f03dafea0a8096a2eb60f551218b360e5bab9a3"
},
{
"url": "https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac"
},
{
"url": "https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414"
},
{
"url": "https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd"
}
],
"title": "ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23003",
"datePublished": "2026-01-25T14:36:17.491Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:36:55.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21861 (GCVE-0-2025-21861)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-10-02 13:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
If migration succeeded, we called
folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the
old to the new folio. This will set memcg_data of the old folio to 0.
Similarly, if migration failed, memcg_data of the dst folio is left unset.
If we call folio_putback_lru() on such folios (memcg_data == 0), we will
add the folio to be freed to the LRU, making memcg code unhappy. Running
the hmm selftests:
# ./hmm-tests
...
# RUN hmm.hmm_device_private.migrate ...
[ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00
[ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)
[ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9
[ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000
[ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())
[ 102.087230][T14893] ------------[ cut here ]------------
[ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.090478][T14893] Modules linked in:
[ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151
[ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
[ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.096104][T14893] Code: ...
[ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293
[ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426
[ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880
[ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
[ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8
[ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000
[ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
[ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0
[ 102.113478][T14893] PKRU: 55555554
[ 102.114172][T14893] Call Trace:
[ 102.114805][T14893] <TASK>
[ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.116547][T14893] ? __warn.cold+0x110/0x210
[ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.118667][T14893] ? report_bug+0x1b9/0x320
[ 102.119571][T14893] ? handle_bug+0x54/0x90
[ 102.120494][T14893] ? exc_invalid_op+0x17/0x50
[ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20
[ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0
[ 102.123506][T14893] ? dump_page+0x4f/0x60
[ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200
[ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10
[ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720
[ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10
[ 102.129550][T14893] folio_putback_lru+0x16/0x80
[ 102.130564][T14893] migrate_device_finalize+0x9b/0x530
[ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0
[ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80
Likely, nothing else goes wrong: putting the last folio reference will
remove the folio from the LRU again. So besides memcg complaining, adding
the folio to be freed to the LRU is just an unnecessary step.
The new flow resembles what we have in migrate_folio_move(): add the dst
to the lru, rem
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:46.861929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:37.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/migrate_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61fa824e304ed162fe965f64999068e6fcff2059",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "64397b0cb7c09e3ef3f9f5c7c17299c4eebd3875",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "4f52f7c50f5b6f5eeb06823e21fe546d90f9c595",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "20fb6fc51863fbff7868de8b5f6d249d2094df1f",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "78f579cb7d825134e071a1714d8d0c4fd0ffe459",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "3f9240d59e9a95d19f06120bfd1d0e681c6c0ac7",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "069dd21ea8262204f94737878389c2815a054a9e",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "41cddf83d8b00f29fd105e7a0777366edc69a5cf",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/migrate_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate_device: don\u0027t add folio to be freed to LRU in migrate_device_finalize()\n\nIf migration succeeded, we called\nfolio_migrate_flags()-\u003emem_cgroup_migrate() to migrate the memcg from the\nold to the new folio. This will set memcg_data of the old folio to 0.\n\nSimilarly, if migration failed, memcg_data of the dst folio is left unset.\n\nIf we call folio_putback_lru() on such folios (memcg_data == 0), we will\nadd the folio to be freed to the LRU, making memcg code unhappy. Running\nthe hmm selftests:\n\n # ./hmm-tests\n ...\n # RUN hmm.hmm_device_private.migrate ...\n [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00\n [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)\n [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9\n [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000\n [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg \u0026\u0026 !mem_cgroup_disabled())\n [ 102.087230][T14893] ------------[ cut here ]------------\n [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.090478][T14893] Modules linked in:\n [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151\n [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.096104][T14893] Code: ...\n [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293\n [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426\n [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880\n [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000\n [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8\n [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000\n [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000\n [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0\n [ 102.113478][T14893] PKRU: 55555554\n [ 102.114172][T14893] Call Trace:\n [ 102.114805][T14893] \u003cTASK\u003e\n [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.116547][T14893] ? __warn.cold+0x110/0x210\n [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.118667][T14893] ? report_bug+0x1b9/0x320\n [ 102.119571][T14893] ? handle_bug+0x54/0x90\n [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50\n [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20\n [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0\n [ 102.123506][T14893] ? dump_page+0x4f/0x60\n [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200\n [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10\n [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720\n [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10\n [ 102.129550][T14893] folio_putback_lru+0x16/0x80\n [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530\n [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0\n [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80\n\nLikely, nothing else goes wrong: putting the last folio reference will\nremove the folio from the LRU again. So besides memcg complaining, adding\nthe folio to be freed to the LRU is just an unnecessary step.\n\nThe new flow resembles what we have in migrate_folio_move(): add the dst\nto the lru, rem\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:25:41.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61fa824e304ed162fe965f64999068e6fcff2059"
},
{
"url": "https://git.kernel.org/stable/c/64397b0cb7c09e3ef3f9f5c7c17299c4eebd3875"
},
{
"url": "https://git.kernel.org/stable/c/4f52f7c50f5b6f5eeb06823e21fe546d90f9c595"
},
{
"url": "https://git.kernel.org/stable/c/20fb6fc51863fbff7868de8b5f6d249d2094df1f"
},
{
"url": "https://git.kernel.org/stable/c/78f579cb7d825134e071a1714d8d0c4fd0ffe459"
},
{
"url": "https://git.kernel.org/stable/c/3f9240d59e9a95d19f06120bfd1d0e681c6c0ac7"
},
{
"url": "https://git.kernel.org/stable/c/069dd21ea8262204f94737878389c2815a054a9e"
},
{
"url": "https://git.kernel.org/stable/c/41cddf83d8b00f29fd105e7a0777366edc69a5cf"
}
],
"title": "mm/migrate_device: don\u0027t add folio to be freed to LRU in migrate_device_finalize()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21861",
"datePublished": "2025-03-12T09:42:19.199Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-10-02T13:25:41.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-71099 (GCVE-0-2025-71099)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping
metrics_lock. Since this lock protects the lifetime of oa_config, an
attacker could guess the id and call xe_oa_remove_config_ioctl() with
perfect timing, freeing oa_config before we dereference it, leading to
a potential use-after-free.
Fix this by caching the id in a local variable while holding the lock.
v2: (Matt A)
- Dropped mutex_unlock(&oa->metrics_lock) ordering change from
xe_oa_remove_config_ioctl()
(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_oa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6d30b65b7a44dac52ad49513268adbf19eab4a2",
"status": "affected",
"version": "cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0",
"versionType": "git"
},
{
"lessThan": "7cdb9a9da935c687563cc682155461fef5f9b48d",
"status": "affected",
"version": "cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0",
"versionType": "git"
},
{
"lessThan": "dcb171931954c51a1a7250d558f02b8f36570783",
"status": "affected",
"version": "cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_oa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()\n\nIn xe_oa_add_config_ioctl(), we accessed oa_config-\u003eid after dropping\nmetrics_lock. Since this lock protects the lifetime of oa_config, an\nattacker could guess the id and call xe_oa_remove_config_ioctl() with\nperfect timing, freeing oa_config before we dereference it, leading to\na potential use-after-free.\n\nFix this by caching the id in a local variable while holding the lock.\n\nv2: (Matt A)\n- Dropped mutex_unlock(\u0026oa-\u003emetrics_lock) ordering change from\n xe_oa_remove_config_ioctl()\n\n(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:51.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2"
},
{
"url": "https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d"
},
{
"url": "https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783"
}
],
"title": "drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71099",
"datePublished": "2026-01-13T15:34:58.359Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:51.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39967 (GCVE-0-2025-39967)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: fix integer overflow in fbcon_do_set_font
Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.
The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
overflows during font data copying.
Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96e41fc29e8af5c5085fb8a79cab8d0d00bab86c Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: 39b3cffb8cf3111738ea993e2757ab382253d86a Version: ae021a904ac82d9fc81c25329d3c465c5a7d5686 Version: 451bffa366f2cc0e5314807cb847f31c0226efed Version: 2c455e9c5865861f5ce09c5f596909495ed7657c Version: 72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e Version: 34cf1aff169dc6dedad8d79da7bf1b4de2773dbc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994bdc2d23c79087fbf7dcd9544454e8ebcef877",
"status": "affected",
"version": "96e41fc29e8af5c5085fb8a79cab8d0d00bab86c",
"versionType": "git"
},
{
"lessThan": "9c8ec14075c5317edd6b242f1be8167aa1e4e333",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "b8a6e85328aeb9881531dbe89bcd2637a06c3c95",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "a6eb9f423b3db000aaedf83367b8539f6b72dcfc",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "adac90bb1aaf45ca66f9db8ac100be16750ace78",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "4a4bac869560f943edbe3c2b032062f6673b13d3",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"lessThan": "1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe",
"status": "affected",
"version": "39b3cffb8cf3111738ea993e2757ab382253d86a",
"versionType": "git"
},
{
"status": "affected",
"version": "ae021a904ac82d9fc81c25329d3c465c5a7d5686",
"versionType": "git"
},
{
"status": "affected",
"version": "451bffa366f2cc0e5314807cb847f31c0226efed",
"versionType": "git"
},
{
"status": "affected",
"version": "2c455e9c5865861f5ce09c5f596909495ed7657c",
"versionType": "git"
},
{
"status": "affected",
"version": "72f099805dbc907fbe8fa19bccdc31d3e2ee6e9e",
"versionType": "git"
},
{
"status": "affected",
"version": "34cf1aff169dc6dedad8d79da7bf1b4de2773dbc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: fix integer overflow in fbcon_do_set_font\n\nFix integer overflow vulnerabilities in fbcon_do_set_font() where font\nsize calculations could overflow when handling user-controlled font\nparameters.\n\nThe vulnerabilities occur when:\n1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount\n multiplication with user-controlled values that can overflow.\n2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow\n3. This results in smaller allocations than expected, leading to buffer\n overflows during font data copying.\n\nAdd explicit overflow checking using check_mul_overflow() and\ncheck_add_overflow() kernel helpers to safety validate all size\ncalculations before allocation."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:51.554Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994bdc2d23c79087fbf7dcd9544454e8ebcef877"
},
{
"url": "https://git.kernel.org/stable/c/9c8ec14075c5317edd6b242f1be8167aa1e4e333"
},
{
"url": "https://git.kernel.org/stable/c/b8a6e85328aeb9881531dbe89bcd2637a06c3c95"
},
{
"url": "https://git.kernel.org/stable/c/a6eb9f423b3db000aaedf83367b8539f6b72dcfc"
},
{
"url": "https://git.kernel.org/stable/c/adac90bb1aaf45ca66f9db8ac100be16750ace78"
},
{
"url": "https://git.kernel.org/stable/c/4a4bac869560f943edbe3c2b032062f6673b13d3"
},
{
"url": "https://git.kernel.org/stable/c/c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7"
},
{
"url": "https://git.kernel.org/stable/c/1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe"
}
],
"title": "fbcon: fix integer overflow in fbcon_do_set_font",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39967",
"datePublished": "2025-10-15T07:55:51.554Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:51.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40125 (GCVE-0-2025-40125)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
In __blk_mq_update_nr_hw_queues() the return value of
blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx
fails, later changing the number of hw_queues or removing disk will
trigger the following warning:
kernfs: can not remove 'nr_tags', no directory
WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160
Call Trace:
remove_files.isra.1+0x38/0xb0
sysfs_remove_group+0x4d/0x100
sysfs_remove_groups+0x31/0x60
__kobject_del+0x23/0xf0
kobject_del+0x17/0x40
blk_mq_unregister_hctx+0x5d/0x80
blk_mq_sysfs_unregister_hctxs+0x94/0xd0
blk_mq_update_nr_hw_queues+0x124/0x760
nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
nullb_device_submit_queues_store+0x92/0x120 [null_blk]
kobjct_del() was called unconditionally even if sysfs creation failed.
Fix it by checkig the kobject creation statusbefore deleting it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 477e19dedc9d3e1f4443a1d4ae00572a988120ea Version: 477e19dedc9d3e1f4443a1d4ae00572a988120ea Version: 477e19dedc9d3e1f4443a1d4ae00572a988120ea Version: 477e19dedc9d3e1f4443a1d4ae00572a988120ea Version: 477e19dedc9d3e1f4443a1d4ae00572a988120ea Version: 477e19dedc9d3e1f4443a1d4ae00572a988120ea Version: 477e19dedc9d3e1f4443a1d4ae00572a988120ea Version: 477e19dedc9d3e1f4443a1d4ae00572a988120ea |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8c53553f1833cc2d14175d2d72cf37193a01898",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "cc14ea21c4e658814d737ed4dedde6cd626a15ad",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "4b97e99b87a773d52699521d40864f3ec888e9a6",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "6e7dadc5763c48eb3b9b91265a21f312599ebb2c",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "06c4826b1d900611096e4621e93133db57e13911",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "babc634e9fe2803962dba98a07587e835dbc0731",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "d5ddd76ee52bdc16e9f8b1e7791291e785dab032",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
},
{
"lessThan": "4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed",
"status": "affected",
"version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx\n\nIn __blk_mq_update_nr_hw_queues() the return value of\nblk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx\nfails, later changing the number of hw_queues or removing disk will\ntrigger the following warning:\n\n kernfs: can not remove \u0027nr_tags\u0027, no directory\n WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160\n Call Trace:\n remove_files.isra.1+0x38/0xb0\n sysfs_remove_group+0x4d/0x100\n sysfs_remove_groups+0x31/0x60\n __kobject_del+0x23/0xf0\n kobject_del+0x17/0x40\n blk_mq_unregister_hctx+0x5d/0x80\n blk_mq_sysfs_unregister_hctxs+0x94/0xd0\n blk_mq_update_nr_hw_queues+0x124/0x760\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x92/0x120 [null_blk]\n\nkobjct_del() was called unconditionally even if sysfs creation failed.\nFix it by checkig the kobject creation statusbefore deleting it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:30.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8c53553f1833cc2d14175d2d72cf37193a01898"
},
{
"url": "https://git.kernel.org/stable/c/cc14ea21c4e658814d737ed4dedde6cd626a15ad"
},
{
"url": "https://git.kernel.org/stable/c/4b97e99b87a773d52699521d40864f3ec888e9a6"
},
{
"url": "https://git.kernel.org/stable/c/6e7dadc5763c48eb3b9b91265a21f312599ebb2c"
},
{
"url": "https://git.kernel.org/stable/c/06c4826b1d900611096e4621e93133db57e13911"
},
{
"url": "https://git.kernel.org/stable/c/babc634e9fe2803962dba98a07587e835dbc0731"
},
{
"url": "https://git.kernel.org/stable/c/d5ddd76ee52bdc16e9f8b1e7791291e785dab032"
},
{
"url": "https://git.kernel.org/stable/c/4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed"
}
],
"title": "blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40125",
"datePublished": "2025-11-12T10:23:20.180Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:30.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40030 (GCVE-0-2025-40030)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2026-01-02 15:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: check the return value of pinmux_ops::get_function_name()
While the API contract in docs doesn't specify it explicitly, the
generic implementation of the get_function_name() callback from struct
pinmux_ops - pinmux_generic_get_function_name() - can fail and return
NULL. This is already checked in pinmux_check_ops() so add a similar
check in pinmux_func_name_to_selector() instead of passing the returned
pointer right down to strcmp() where the NULL can get dereferenced. This
is normal operation when adding new pinfunctions.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f913cfce4ee49a3382a9ff95696f49a46e56e974 Version: f913cfce4ee49a3382a9ff95696f49a46e56e974 Version: f913cfce4ee49a3382a9ff95696f49a46e56e974 Version: f913cfce4ee49a3382a9ff95696f49a46e56e974 Version: f913cfce4ee49a3382a9ff95696f49a46e56e974 Version: f913cfce4ee49a3382a9ff95696f49a46e56e974 Version: f913cfce4ee49a3382a9ff95696f49a46e56e974 Version: f913cfce4ee49a3382a9ff95696f49a46e56e974 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a7fc8fed2bb2e113604fde7a45432ace2056b97",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "e7265dc4c670b89611bcf5fe33acf99bc0aa294f",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "d77ef2f621cd1d605372c4c6ce667c496f6990c3",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "ba7f7c2b2b3261e7def67018c38c69b626e0e66e",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "1a2ea887a5cd7d47bab599f733d89444df018b1a",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "688c688e0bf55824f4a38f8c2180046f089a3e3b",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "b7e0535060a60cc99eafc19cc665d979714cd73a",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
},
{
"lessThan": "4002ee98c022d671ecc1e4a84029e9ae7d8a5603",
"status": "affected",
"version": "f913cfce4ee49a3382a9ff95696f49a46e56e974",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinmux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: check the return value of pinmux_ops::get_function_name()\n\nWhile the API contract in docs doesn\u0027t specify it explicitly, the\ngeneric implementation of the get_function_name() callback from struct\npinmux_ops - pinmux_generic_get_function_name() - can fail and return\nNULL. This is already checked in pinmux_check_ops() so add a similar\ncheck in pinmux_func_name_to_selector() instead of passing the returned\npointer right down to strcmp() where the NULL can get dereferenced. This\nis normal operation when adding new pinfunctions."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:56.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a7fc8fed2bb2e113604fde7a45432ace2056b97"
},
{
"url": "https://git.kernel.org/stable/c/e7265dc4c670b89611bcf5fe33acf99bc0aa294f"
},
{
"url": "https://git.kernel.org/stable/c/d77ef2f621cd1d605372c4c6ce667c496f6990c3"
},
{
"url": "https://git.kernel.org/stable/c/ba7f7c2b2b3261e7def67018c38c69b626e0e66e"
},
{
"url": "https://git.kernel.org/stable/c/1a2ea887a5cd7d47bab599f733d89444df018b1a"
},
{
"url": "https://git.kernel.org/stable/c/688c688e0bf55824f4a38f8c2180046f089a3e3b"
},
{
"url": "https://git.kernel.org/stable/c/b7e0535060a60cc99eafc19cc665d979714cd73a"
},
{
"url": "https://git.kernel.org/stable/c/4002ee98c022d671ecc1e4a84029e9ae7d8a5603"
}
],
"title": "pinctrl: check the return value of pinmux_ops::get_function_name()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40030",
"datePublished": "2025-10-28T11:48:01.608Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2026-01-02T15:32:56.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23098 (GCVE-0-2026-23098)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-04-03 13:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: fix double-free in nr_route_frame()
In nr_route_frame(), old_skb is immediately freed without checking if
nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
the caller function will free old_skb again, causing a double-free bug.
Therefore, to prevent this, we need to modify it to check whether
nr_neigh->ax25 is NULL before freeing old_skb.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25aab6bfc31017a7e52035b99aef5c2b6bde8ffb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e0110ea90313b7c0558a0b77038274a6821caf8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c48fdf2d1349bb54815b56fb012b9d577707708",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd8955337e3764f912f49b360e176d8aaecf7016",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f5fa78d9980fe75a69835521627ab7943cb3d67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba1096c315283ee3292765f6aea4cca15816c4f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix double-free in nr_route_frame()\n\nIn nr_route_frame(), old_skb is immediately freed without checking if\nnr_neigh-\u003eax25 pointer is NULL. Therefore, if nr_neigh-\u003eax25 is NULL,\nthe caller function will free old_skb again, causing a double-free bug.\n\nTherefore, to prevent this, we need to modify it to check whether\nnr_neigh-\u003eax25 is NULL before freeing old_skb."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:31:55.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25aab6bfc31017a7e52035b99aef5c2b6bde8ffb"
},
{
"url": "https://git.kernel.org/stable/c/6e0110ea90313b7c0558a0b77038274a6821caf8"
},
{
"url": "https://git.kernel.org/stable/c/7c48fdf2d1349bb54815b56fb012b9d577707708"
},
{
"url": "https://git.kernel.org/stable/c/bd8955337e3764f912f49b360e176d8aaecf7016"
},
{
"url": "https://git.kernel.org/stable/c/94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c"
},
{
"url": "https://git.kernel.org/stable/c/9f5fa78d9980fe75a69835521627ab7943cb3d67"
},
{
"url": "https://git.kernel.org/stable/c/ba1096c315283ee3292765f6aea4cca15816c4f7"
}
],
"title": "netrom: fix double-free in nr_route_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23098",
"datePublished": "2026-02-04T16:08:20.692Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-04-03T13:31:55.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68368 (GCVE-0-2025-68368)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: init bioset in mddev_init
IO operations may be needed before md_run(), such as updating metadata
after writing sysfs. Without bioset, this triggers a NULL pointer
dereference as below:
BUG: kernel NULL pointer dereference, address: 0000000000000020
Call Trace:
md_update_sb+0x658/0xe00
new_level_store+0xc5/0x120
md_attr_store+0xc9/0x1e0
sysfs_kf_write+0x6f/0xa0
kernfs_fop_write_iter+0x141/0x2a0
vfs_write+0x1fc/0x5a0
ksys_write+0x79/0x180
__x64_sys_write+0x1d/0x30
x64_sys_call+0x2818/0x2880
do_syscall_64+0xa9/0x580
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Reproducer
```
mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd]
echo inactive > /sys/block/md0/md/array_state
echo 10 > /sys/block/md0/md/new_level
```
mddev_init() can only be called once per mddev, no need to test if bioset
has been initialized anymore.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d37fe37dfa0833a8768740f0575e0ffd793cb4a",
"status": "affected",
"version": "d981ed8419303ed12351eea8541ad6cb76455fe3",
"versionType": "git"
},
{
"lessThan": "381a3ce1c0ffed647c9b913e142b099c7e9d5afc",
"status": "affected",
"version": "d981ed8419303ed12351eea8541ad6cb76455fe3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: init bioset in mddev_init\n\nIO operations may be needed before md_run(), such as updating metadata\nafter writing sysfs. Without bioset, this triggers a NULL pointer\ndereference as below:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n Call Trace:\n md_update_sb+0x658/0xe00\n new_level_store+0xc5/0x120\n md_attr_store+0xc9/0x1e0\n sysfs_kf_write+0x6f/0xa0\n kernfs_fop_write_iter+0x141/0x2a0\n vfs_write+0x1fc/0x5a0\n ksys_write+0x79/0x180\n __x64_sys_write+0x1d/0x30\n x64_sys_call+0x2818/0x2880\n do_syscall_64+0xa9/0x580\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nReproducer\n```\n mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd]\n echo inactive \u003e /sys/block/md0/md/array_state\n echo 10 \u003e /sys/block/md0/md/new_level\n```\n\nmddev_init() can only be called once per mddev, no need to test if bioset\nhas been initialized anymore."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:05.084Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d37fe37dfa0833a8768740f0575e0ffd793cb4a"
},
{
"url": "https://git.kernel.org/stable/c/381a3ce1c0ffed647c9b913e142b099c7e9d5afc"
}
],
"title": "md: init bioset in mddev_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68368",
"datePublished": "2025-12-24T10:32:54.765Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-02-09T08:32:05.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40087 (GCVE-0-2025-40087)
Vulnerability from cvelistv5
Published
2025-10-30 09:47
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Define a proc_layoutcommit for the FlexFiles layout type
Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT
operation on a FlexFiles layout.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 Version: 9b9960a0ca4773e21c4b153ed355583946346b25 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/flexfilelayout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a75994dd879401c3e24ff51c2536559f1a53ea27",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "34d187e020cbda112a6c6f094f0ca5e6a8672b75",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "ba88a53d7f5df4191583abf214214efe0cda91d2",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "da9129ef77786839a3ccd1d7afeeab790bceaa1d",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "f7353208c91ab004e0179c5fb6c365b0f132f9f0",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "785ec512afa80d0540f2ca797c0e56de747a6083",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
},
{
"lessThan": "4b47a8601b71ad98833b447d465592d847b4dc77",
"status": "affected",
"version": "9b9960a0ca4773e21c4b153ed355583946346b25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/flexfilelayout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define a proc_layoutcommit for the FlexFiles layout type\n\nAvoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT\noperation on a FlexFiles layout."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:45.180Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a75994dd879401c3e24ff51c2536559f1a53ea27"
},
{
"url": "https://git.kernel.org/stable/c/34d187e020cbda112a6c6f094f0ca5e6a8672b75"
},
{
"url": "https://git.kernel.org/stable/c/ba88a53d7f5df4191583abf214214efe0cda91d2"
},
{
"url": "https://git.kernel.org/stable/c/da9129ef77786839a3ccd1d7afeeab790bceaa1d"
},
{
"url": "https://git.kernel.org/stable/c/f7353208c91ab004e0179c5fb6c365b0f132f9f0"
},
{
"url": "https://git.kernel.org/stable/c/a156af6a4dc38c2aa7c98e89520a70fb3b3e7df4"
},
{
"url": "https://git.kernel.org/stable/c/785ec512afa80d0540f2ca797c0e56de747a6083"
},
{
"url": "https://git.kernel.org/stable/c/4b47a8601b71ad98833b447d465592d847b4dc77"
}
],
"title": "NFSD: Define a proc_layoutcommit for the FlexFiles layout type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40087",
"datePublished": "2025-10-30T09:47:56.675Z",
"dateReserved": "2025-04-16T07:20:57.162Z",
"dateUpdated": "2025-12-01T06:17:45.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38232 (GCVE-0-2025-38232)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: fix race between nfsd registration and exports_proc
As of now nfsd calls create_proc_exports_entry() at start of init_nfsd
and cleanup by remove_proc_entry() at last of exit_nfsd.
Which causes kernel OOPs if there is race between below 2 operations:
(i) exportfs -r
(ii) mount -t nfsd none /proc/fs/nfsd
for 5.4 kernel ARM64:
CPU 1:
el1_irq+0xbc/0x180
arch_counter_get_cntvct+0x14/0x18
running_clock+0xc/0x18
preempt_count_add+0x88/0x110
prep_new_page+0xb0/0x220
get_page_from_freelist+0x2d8/0x1778
__alloc_pages_nodemask+0x15c/0xef0
__vmalloc_node_range+0x28c/0x478
__vmalloc_node_flags_caller+0x8c/0xb0
kvmalloc_node+0x88/0xe0
nfsd_init_net+0x6c/0x108 [nfsd]
ops_init+0x44/0x170
register_pernet_operations+0x114/0x270
register_pernet_subsys+0x34/0x50
init_nfsd+0xa8/0x718 [nfsd]
do_one_initcall+0x54/0x2e0
CPU 2 :
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
PC is at : exports_net_open+0x50/0x68 [nfsd]
Call trace:
exports_net_open+0x50/0x68 [nfsd]
exports_proc_open+0x2c/0x38 [nfsd]
proc_reg_open+0xb8/0x198
do_dentry_open+0x1c4/0x418
vfs_open+0x38/0x48
path_openat+0x28c/0xf18
do_filp_open+0x70/0xe8
do_sys_open+0x154/0x248
Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu().
and same is happening on latest 6.14 kernel as well:
[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty
...
[ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48
...
[ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4
...
[ 285.469695] Call trace:
[ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P)
[ 285.470488] seq_read+0xe0/0x11c
[ 285.470675] proc_reg_read+0x9c/0xf0
[ 285.470874] vfs_read+0xc4/0x2fc
[ 285.471057] ksys_read+0x6c/0xf4
[ 285.471231] __arm64_sys_read+0x1c/0x28
[ 285.471428] invoke_syscall+0x44/0x100
[ 285.471633] el0_svc_common.constprop.0+0x40/0xe0
[ 285.471870] do_el0_svc_compat+0x1c/0x34
[ 285.472073] el0_svc_compat+0x2c/0x80
[ 285.472265] el0t_32_sync_handler+0x90/0x140
[ 285.472473] el0t_32_sync+0x19c/0x1a0
[ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3)
[ 285.473422] ---[ end trace 0000000000000000 ]---
It reproduced simply with below script:
while [ 1 ]
do
/exportfs -r
done &
while [ 1 ]
do
insmod /nfsd.ko
mount -t nfsd none /proc/fs/nfsd
umount /proc/fs/nfsd
rmmod nfsd
done &
So exporting interfaces to user space shall be done at last and
cleanup at first place.
With change there is no Kernel OOPs.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 Version: bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 Version: bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 Version: bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 Version: bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 Version: bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 Version: 8677e99150b0830d29cc1318b4cc559e176940bb Version: 7c7cb07d4affcf41749234fe9dc4d90cd3959e32 Version: 4d41f65efeec0a6da6088341203c81e49ebfcd90 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49b57b98fa601ae6cc7897bab4515129da8290f7",
"status": "affected",
"version": "bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7",
"versionType": "git"
},
{
"lessThan": "88d6785c173a7c4de05bef8c4fd8a9b42ead02d5",
"status": "affected",
"version": "bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7",
"versionType": "git"
},
{
"lessThan": "8120e420013d947c890f358f30a2d98ba8ac20bc",
"status": "affected",
"version": "bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7",
"versionType": "git"
},
{
"lessThan": "2029ca75cdfa6a25716a5a76b751486cce7e3822",
"status": "affected",
"version": "bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7",
"versionType": "git"
},
{
"lessThan": "327011a2bb4f7de9c72b891a96ce8d902828bddf",
"status": "affected",
"version": "bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7",
"versionType": "git"
},
{
"lessThan": "f7fb730cac9aafda8b9813b55d04e28a9664d17c",
"status": "affected",
"version": "bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7",
"versionType": "git"
},
{
"status": "affected",
"version": "8677e99150b0830d29cc1318b4cc559e176940bb",
"versionType": "git"
},
{
"status": "affected",
"version": "7c7cb07d4affcf41749234fe9dc4d90cd3959e32",
"versionType": "git"
},
{
"status": "affected",
"version": "4d41f65efeec0a6da6088341203c81e49ebfcd90",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix race between nfsd registration and exports_proc\n\nAs of now nfsd calls create_proc_exports_entry() at start of init_nfsd\nand cleanup by remove_proc_entry() at last of exit_nfsd.\n\nWhich causes kernel OOPs if there is race between below 2 operations:\n(i) exportfs -r\n(ii) mount -t nfsd none /proc/fs/nfsd\n\nfor 5.4 kernel ARM64:\n\nCPU 1:\nel1_irq+0xbc/0x180\narch_counter_get_cntvct+0x14/0x18\nrunning_clock+0xc/0x18\npreempt_count_add+0x88/0x110\nprep_new_page+0xb0/0x220\nget_page_from_freelist+0x2d8/0x1778\n__alloc_pages_nodemask+0x15c/0xef0\n__vmalloc_node_range+0x28c/0x478\n__vmalloc_node_flags_caller+0x8c/0xb0\nkvmalloc_node+0x88/0xe0\nnfsd_init_net+0x6c/0x108 [nfsd]\nops_init+0x44/0x170\nregister_pernet_operations+0x114/0x270\nregister_pernet_subsys+0x34/0x50\ninit_nfsd+0xa8/0x718 [nfsd]\ndo_one_initcall+0x54/0x2e0\n\nCPU 2 :\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n\nPC is at : exports_net_open+0x50/0x68 [nfsd]\n\nCall trace:\nexports_net_open+0x50/0x68 [nfsd]\nexports_proc_open+0x2c/0x38 [nfsd]\nproc_reg_open+0xb8/0x198\ndo_dentry_open+0x1c4/0x418\nvfs_open+0x38/0x48\npath_openat+0x28c/0xf18\ndo_filp_open+0x70/0xe8\ndo_sys_open+0x154/0x248\n\nSometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu().\n\nand same is happening on latest 6.14 kernel as well:\n\n[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty\n...\n[ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48\n...\n[ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4\n...\n[ 285.469695] Call trace:\n[ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P)\n[ 285.470488] seq_read+0xe0/0x11c\n[ 285.470675] proc_reg_read+0x9c/0xf0\n[ 285.470874] vfs_read+0xc4/0x2fc\n[ 285.471057] ksys_read+0x6c/0xf4\n[ 285.471231] __arm64_sys_read+0x1c/0x28\n[ 285.471428] invoke_syscall+0x44/0x100\n[ 285.471633] el0_svc_common.constprop.0+0x40/0xe0\n[ 285.471870] do_el0_svc_compat+0x1c/0x34\n[ 285.472073] el0_svc_compat+0x2c/0x80\n[ 285.472265] el0t_32_sync_handler+0x90/0x140\n[ 285.472473] el0t_32_sync+0x19c/0x1a0\n[ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3)\n[ 285.473422] ---[ end trace 0000000000000000 ]---\n\nIt reproduced simply with below script:\nwhile [ 1 ]\ndo\n/exportfs -r\ndone \u0026\n\nwhile [ 1 ]\ndo\ninsmod /nfsd.ko\nmount -t nfsd none /proc/fs/nfsd\numount /proc/fs/nfsd\nrmmod nfsd\ndone \u0026\n\nSo exporting interfaces to user space shall be done at last and\ncleanup at first place.\n\nWith change there is no Kernel OOPs."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:16.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49b57b98fa601ae6cc7897bab4515129da8290f7"
},
{
"url": "https://git.kernel.org/stable/c/88d6785c173a7c4de05bef8c4fd8a9b42ead02d5"
},
{
"url": "https://git.kernel.org/stable/c/8120e420013d947c890f358f30a2d98ba8ac20bc"
},
{
"url": "https://git.kernel.org/stable/c/2029ca75cdfa6a25716a5a76b751486cce7e3822"
},
{
"url": "https://git.kernel.org/stable/c/327011a2bb4f7de9c72b891a96ce8d902828bddf"
},
{
"url": "https://git.kernel.org/stable/c/f7fb730cac9aafda8b9813b55d04e28a9664d17c"
}
],
"title": "NFSD: fix race between nfsd registration and exports_proc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38232",
"datePublished": "2025-07-04T13:37:45.635Z",
"dateReserved": "2025-04-16T04:51:23.996Z",
"dateUpdated": "2026-02-06T16:31:16.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39971 (GCVE-0-2025-39971)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix idx validation in config queues msg
Ensure idx is within range of active/initialized TCs when iterating over
vf->ch[idx] in i40e_vc_config_queues_msg().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6ff2af78343eceb0f77ab1a2fe802183bc21648",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "f5f91d164af22e7147130ef8bebbdb28d8ecc6e2",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "1fa0aadade34481c567cdf4a897c0d4e4d548bd1",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "8b9c7719b0987b1c6c5fc910599f3618a558dbde",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "2cc26dac0518d2fa9b67ec813ee60e183480f98a",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "5c1f96123113e0bdc6d8dc2b0830184c93da9f65",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "f1ad24c5abe1eaef69158bac1405a74b3c365115",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in config queues msg\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf-\u003ech[idx] in i40e_vc_config_queues_msg()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:54.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6ff2af78343eceb0f77ab1a2fe802183bc21648"
},
{
"url": "https://git.kernel.org/stable/c/f5f91d164af22e7147130ef8bebbdb28d8ecc6e2"
},
{
"url": "https://git.kernel.org/stable/c/1fa0aadade34481c567cdf4a897c0d4e4d548bd1"
},
{
"url": "https://git.kernel.org/stable/c/8b9c7719b0987b1c6c5fc910599f3618a558dbde"
},
{
"url": "https://git.kernel.org/stable/c/2cc26dac0518d2fa9b67ec813ee60e183480f98a"
},
{
"url": "https://git.kernel.org/stable/c/bfcc1dff429d4b99ba03e40ddacc68ea4be2b32b"
},
{
"url": "https://git.kernel.org/stable/c/5c1f96123113e0bdc6d8dc2b0830184c93da9f65"
},
{
"url": "https://git.kernel.org/stable/c/f1ad24c5abe1eaef69158bac1405a74b3c365115"
}
],
"title": "i40e: fix idx validation in config queues msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39971",
"datePublished": "2025-10-15T07:55:54.270Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:54.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68781 (GCVE-0-2025-68781)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
The delayed work item otg_event is initialized in fsl_otg_conf() and
scheduled under two conditions:
1. When a host controller binds to the OTG controller.
2. When the USB ID pin state changes (cable insertion/removal).
A race condition occurs when the device is removed via fsl_otg_remove():
the fsl_otg instance may be freed while the delayed work is still pending
or executing. This leads to use-after-free when the work function
fsl_otg_event() accesses the already freed memory.
The problematic scenario:
(detach thread) | (delayed work)
fsl_otg_remove() |
kfree(fsl_otg_dev) //FREE| fsl_otg_event()
| og = container_of(...) //USE
| og-> //USE
Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
before deallocating the fsl_otg structure. This ensures the delayed work
is properly canceled and completes execution prior to memory deallocation.
This bug was identified through static analysis.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/phy/phy-fsl-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4476c73bbbb09b13a962176fca934b32d3954a2e",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
},
{
"lessThan": "319f7a85b3c4e34ac2fe083eb146fe129a556317",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
},
{
"lessThan": "69f9a0701abc3d1f8225074c56c27e6c16a37222",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
},
{
"lessThan": "2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
},
{
"lessThan": "41ca62e3e21e48c2903b3b45e232cf4f2ff7434f",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/phy/phy-fsl-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: fsl-usb: Fix use-after-free in delayed work during device removal\n\nThe delayed work item otg_event is initialized in fsl_otg_conf() and\nscheduled under two conditions:\n1. When a host controller binds to the OTG controller.\n2. When the USB ID pin state changes (cable insertion/removal).\n\nA race condition occurs when the device is removed via fsl_otg_remove():\nthe fsl_otg instance may be freed while the delayed work is still pending\nor executing. This leads to use-after-free when the work function\nfsl_otg_event() accesses the already freed memory.\n\nThe problematic scenario:\n\n(detach thread) | (delayed work)\nfsl_otg_remove() |\n kfree(fsl_otg_dev) //FREE| fsl_otg_event()\n | og = container_of(...) //USE\n | og-\u003e //USE\n\nFix this by calling disable_delayed_work_sync() in fsl_otg_remove()\nbefore deallocating the fsl_otg structure. This ensures the delayed work\nis properly canceled and completes execution prior to memory deallocation.\n\nThis bug was identified through static analysis."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:27.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e"
},
{
"url": "https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317"
},
{
"url": "https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222"
},
{
"url": "https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23"
},
{
"url": "https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f"
}
],
"title": "usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68781",
"datePublished": "2026-01-13T15:28:56.261Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:27.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39953 (GCVE-0-2025-39953)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup: split cgroup_destroy_wq into 3 workqueues
A hung task can occur during [1] LTP cgroup testing when repeatedly
mounting/unmounting perf_event and net_prio controllers with
systemd.unified_cgroup_hierarchy=1. The hang manifests in
cgroup_lock_and_drain_offline() during root destruction.
Related case:
cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event
cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio
Call Trace:
cgroup_lock_and_drain_offline+0x14c/0x1e8
cgroup_destroy_root+0x3c/0x2c0
css_free_rwork_fn+0x248/0x338
process_one_work+0x16c/0x3b8
worker_thread+0x22c/0x3b0
kthread+0xec/0x100
ret_from_fork+0x10/0x20
Root Cause:
CPU0 CPU1
mount perf_event umount net_prio
cgroup1_get_tree cgroup_kill_sb
rebind_subsystems // root destruction enqueues
// cgroup_destroy_wq
// kill all perf_event css
// one perf_event css A is dying
// css A offline enqueues cgroup_destroy_wq
// root destruction will be executed first
css_free_rwork_fn
cgroup_destroy_root
cgroup_lock_and_drain_offline
// some perf descendants are dying
// cgroup_destroy_wq max_active = 1
// waiting for css A to die
Problem scenario:
1. CPU0 mounts perf_event (rebind_subsystems)
2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work
3. A dying perf_event CSS gets queued for offline after root destruction
4. Root destruction waits for offline completion, but offline work is
blocked behind root destruction in cgroup_destroy_wq (max_active=1)
Solution:
Split cgroup_destroy_wq into three dedicated workqueues:
cgroup_offline_wq – Handles CSS offline operations
cgroup_release_wq – Manages resource release
cgroup_free_wq – Performs final memory deallocation
This separation eliminates blocking in the CSS free path while waiting for
offline operations to complete.
[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 334c3679ec4b2b113c35ebe37d2018b112dd5013 Version: 334c3679ec4b2b113c35ebe37d2018b112dd5013 Version: 334c3679ec4b2b113c35ebe37d2018b112dd5013 Version: 334c3679ec4b2b113c35ebe37d2018b112dd5013 Version: 334c3679ec4b2b113c35ebe37d2018b112dd5013 Version: 334c3679ec4b2b113c35ebe37d2018b112dd5013 Version: 334c3679ec4b2b113c35ebe37d2018b112dd5013 Version: 334c3679ec4b2b113c35ebe37d2018b112dd5013 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cabadd7fd15f97090f752fd22dd7f876a0dc3dc4",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "a0c896bda7077aa5005473e2c5b3c27173313b4c",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "f2795d1b92506e3adf52a298f7181032a1525e04",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "993049c9b1355c78918344a6403427d53f9ee700",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "ded4d207a3209a834b6831ceec7f39b934c74802",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "05e0b03447cf215ec384210441b34b7a3b16e8b0",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
},
{
"lessThan": "79f919a89c9d06816dbdbbd168fa41d27411a7f9",
"status": "affected",
"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0 CPU1\nmount perf_event umount net_prio\ncgroup1_get_tree cgroup_kill_sb\nrebind_subsystems // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n // one perf_event css A is dying\n // css A offline enqueues cgroup_destroy_wq\n // root destruction will be executed first\n css_free_rwork_fn\n cgroup_destroy_root\n cgroup_lock_and_drain_offline\n // some perf descendants are dying\n // cgroup_destroy_wq max_active = 1\n // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq \u2013 Handles CSS offline operations\ncgroup_release_wq \u2013 Manages resource release\ncgroup_free_wq \u2013 Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:08.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cabadd7fd15f97090f752fd22dd7f876a0dc3dc4"
},
{
"url": "https://git.kernel.org/stable/c/a0c896bda7077aa5005473e2c5b3c27173313b4c"
},
{
"url": "https://git.kernel.org/stable/c/f2795d1b92506e3adf52a298f7181032a1525e04"
},
{
"url": "https://git.kernel.org/stable/c/993049c9b1355c78918344a6403427d53f9ee700"
},
{
"url": "https://git.kernel.org/stable/c/4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811"
},
{
"url": "https://git.kernel.org/stable/c/ded4d207a3209a834b6831ceec7f39b934c74802"
},
{
"url": "https://git.kernel.org/stable/c/05e0b03447cf215ec384210441b34b7a3b16e8b0"
},
{
"url": "https://git.kernel.org/stable/c/79f919a89c9d06816dbdbbd168fa41d27411a7f9"
}
],
"title": "cgroup: split cgroup_destroy_wq into 3 workqueues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39953",
"datePublished": "2025-10-04T07:31:13.237Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-04T07:37:08.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68256 (GCVE-0-2025-68256)
Vulnerability from cvelistv5
Published
2025-12-16 14:44
Modified
2026-04-18 08:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on
malformed frames.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_ieee80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9829c6e1b2e4180fd18315252ad6faeab6128076",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "b977eb31802817f4a37da95bf16bfdaa1eeb5fc2",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "30c558447e90935f0de61be181bbcedf75952e00",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "a54e2b2db1b7de2e008b4f62eec35aaefcc663c5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "df191dd9f4c7249d98ada55634fa8ac19089b8cb",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "c0d93d69e1472ba75b78898979b90a98ba2a2501",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "154828bf9559b9c8421fc2f0d7f7f76b3683aaed",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_ieee80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser\n\nThe Information Element (IE) parser rtw_get_ie() trusted the length\nbyte of each IE without validating that the IE body (len bytes after\nthe 2-byte header) fits inside the remaining frame buffer. A malformed\nframe can advertise an IE length larger than the available data, causing\nthe parser to increment its pointer beyond the buffer end. This results\nin out-of-bounds reads or, depending on the pattern, an infinite loop.\n\nFix by validating that (offset + 2 + len) does not exceed the limit\nbefore accepting the IE or advancing to the next element.\n\nThis prevents OOB reads and ensures the parser terminates safely on\nmalformed frames."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:11.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9829c6e1b2e4180fd18315252ad6faeab6128076"
},
{
"url": "https://git.kernel.org/stable/c/b977eb31802817f4a37da95bf16bfdaa1eeb5fc2"
},
{
"url": "https://git.kernel.org/stable/c/30c558447e90935f0de61be181bbcedf75952e00"
},
{
"url": "https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5"
},
{
"url": "https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb"
},
{
"url": "https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501"
},
{
"url": "https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaed"
}
],
"title": "staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68256",
"datePublished": "2025-12-16T14:44:58.829Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-04-18T08:57:11.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40011 (GCVE-0-2025-40011)
Vulnerability from cvelistv5
Published
2025-10-20 15:26
Modified
2025-10-20 15:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/gma500: Fix null dereference in hdmi teardown
pci_set_drvdata sets the value of pdev->driver_data to NULL,
after which the driver_data obtained from the same dev is
dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is
extracted from it. To prevent this, swap these calls.
Found by Linux Verification Center (linuxtesting.org) with Svacer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb Version: 1b082ccf5901108d3acd860a73d8c0442556c0bb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/gma500/oaktrail_hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70b0c11483d3b90b2d0f416026e475e084a77e62",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "4bbfd1b290857b9d14ea9d91562bde55ff2bc85e",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "e15de80737d444ed743b1c60ced4a3a97913169b",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "02e4ff4941efb9bbb40d8d5b61efa1a4119b1ba7",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "6ffa6b5bc861a3ea9dfcdc007f002b4a347c24ba",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "f800f7054d2cf28b51296c7c575da27c29e3859b",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "0fc650fa475b50c1da8236c5e900b9460c7027bc",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
},
{
"lessThan": "352e66900cde63f3dadb142364d3c35170bbaaff",
"status": "affected",
"version": "1b082ccf5901108d3acd860a73d8c0442556c0bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/gma500/oaktrail_hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix null dereference in hdmi teardown\n\npci_set_drvdata sets the value of pdev-\u003edriver_data to NULL,\nafter which the driver_data obtained from the same dev is\ndereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is\nextracted from it. To prevent this, swap these calls.\n\nFound by Linux Verification Center (linuxtesting.org) with Svacer."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:56.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70b0c11483d3b90b2d0f416026e475e084a77e62"
},
{
"url": "https://git.kernel.org/stable/c/4bbfd1b290857b9d14ea9d91562bde55ff2bc85e"
},
{
"url": "https://git.kernel.org/stable/c/e15de80737d444ed743b1c60ced4a3a97913169b"
},
{
"url": "https://git.kernel.org/stable/c/02e4ff4941efb9bbb40d8d5b61efa1a4119b1ba7"
},
{
"url": "https://git.kernel.org/stable/c/6ffa6b5bc861a3ea9dfcdc007f002b4a347c24ba"
},
{
"url": "https://git.kernel.org/stable/c/f800f7054d2cf28b51296c7c575da27c29e3859b"
},
{
"url": "https://git.kernel.org/stable/c/0fc650fa475b50c1da8236c5e900b9460c7027bc"
},
{
"url": "https://git.kernel.org/stable/c/352e66900cde63f3dadb142364d3c35170bbaaff"
}
],
"title": "drm/gma500: Fix null dereference in hdmi teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40011",
"datePublished": "2025-10-20T15:26:56.558Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:56.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40068 (GCVE-0-2025-40068)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: ntfs3: Fix integer overflow in run_unpack()
The MFT record relative to the file being opened contains its runlist,
an array containing information about the file's location on the physical
disk. Analysis of all Call Stack paths showed that the values of the
runlist array, from which LCNs are calculated, are not validated before
run_unpack function.
The run_unpack function decodes the compressed runlist data format
from MFT attributes (for example, $DATA), converting them into a runs_tree
structure, which describes the mapping of virtual clusters (VCN) to
logical clusters (LCN). The NTFS3 subsystem also has a shortcut for
deleting files from MFT records - in this case, the RUN_DEALLOCATE
command is sent to the run_unpack input, and the function logic
provides that all data transferred to the runlist about file or
directory is deleted without creating a runs_tree structure.
Substituting the runlist in the $DATA attribute of the MFT record for an
arbitrary file can lead either to access to arbitrary data on the disk
bypassing access checks to them (since the inode access check
occurs above) or to destruction of arbitrary data on the disk.
Add overflow check for addition operation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6b36cfd25cbadad63447c673743cf771090e756",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "3ac37e100385b59ac821a62118494442238aaac4",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "a86c8b9d03f7101e1750233846fe989df6f0d631",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "9378cfe228c2c679564a4116bcb28c8e89dff989",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "5aa5799d162ad1b8e8b699d48b6218143c695a78",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "736fc7bf5f68f6b74a0925b7e072c571838657d2",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: Fix integer overflow in run_unpack()\n\nThe MFT record relative to the file being opened contains its runlist,\nan array containing information about the file\u0027s location on the physical\ndisk. Analysis of all Call Stack paths showed that the values of the\nrunlist array, from which LCNs are calculated, are not validated before\nrun_unpack function.\n\nThe run_unpack function decodes the compressed runlist data format\nfrom MFT attributes (for example, $DATA), converting them into a runs_tree\nstructure, which describes the mapping of virtual clusters (VCN) to\nlogical clusters (LCN). The NTFS3 subsystem also has a shortcut for\ndeleting files from MFT records - in this case, the RUN_DEALLOCATE\ncommand is sent to the run_unpack input, and the function logic\nprovides that all data transferred to the runlist about file or\ndirectory is deleted without creating a runs_tree structure.\n\nSubstituting the runlist in the $DATA attribute of the MFT record for an\narbitrary file can lead either to access to arbitrary data on the disk\nbypassing access checks to them (since the inode access check\noccurs above) or to destruction of arbitrary data on the disk.\n\nAdd overflow check for addition operation.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:19.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6b36cfd25cbadad63447c673743cf771090e756"
},
{
"url": "https://git.kernel.org/stable/c/3ac37e100385b59ac821a62118494442238aaac4"
},
{
"url": "https://git.kernel.org/stable/c/a86c8b9d03f7101e1750233846fe989df6f0d631"
},
{
"url": "https://git.kernel.org/stable/c/9378cfe228c2c679564a4116bcb28c8e89dff989"
},
{
"url": "https://git.kernel.org/stable/c/5aa5799d162ad1b8e8b699d48b6218143c695a78"
},
{
"url": "https://git.kernel.org/stable/c/736fc7bf5f68f6b74a0925b7e072c571838657d2"
}
],
"title": "fs: ntfs3: Fix integer overflow in run_unpack()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40068",
"datePublished": "2025-10-28T11:48:37.636Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:19.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71119 (GCVE-0-2025-71119)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kexec: Enable SMT before waking offline CPUs
If SMT is disabled or a partial SMT state is enabled, when a new kernel
image is loaded for kexec, on reboot the following warning is observed:
kexec: Waking offline cpu 228.
WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc
[snip]
NIP kexec_prepare_cpus+0x1b0/0x1bc
LR kexec_prepare_cpus+0x1a0/0x1bc
Call Trace:
kexec_prepare_cpus+0x1a0/0x1bc (unreliable)
default_machine_kexec+0x160/0x19c
machine_kexec+0x80/0x88
kernel_kexec+0xd0/0x118
__do_sys_reboot+0x210/0x2c4
system_call_exception+0x124/0x320
system_call_vectored_common+0x15c/0x2ec
This occurs as add_cpu() fails due to cpu_bootable() returning false for
CPUs that fail the cpu_smt_thread_allowed() check or non primary
threads if SMT is disabled.
Fix the issue by enabling SMT and resetting the number of SMT threads to
the number of threads per core, before attempting to wake up all present
CPUs.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 482fa21635c8832db022cd2d649db26b8e6170ac Version: 38253464bc821d6de6bba81bb1412ebb36f6cbd1 Version: 38253464bc821d6de6bba81bb1412ebb36f6cbd1 Version: 38253464bc821d6de6bba81bb1412ebb36f6cbd1 Version: 38253464bc821d6de6bba81bb1412ebb36f6cbd1 Version: 15141adf85b14a7cff7abba1cb983f0bf17e3b36 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kexec/core_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7cccd82a0e4aad192fd74fc60e61ed9aed5857a3",
"status": "affected",
"version": "482fa21635c8832db022cd2d649db26b8e6170ac",
"versionType": "git"
},
{
"lessThan": "d790ef0c4819424ee0c2f448c0a8154c5ca369d1",
"status": "affected",
"version": "38253464bc821d6de6bba81bb1412ebb36f6cbd1",
"versionType": "git"
},
{
"lessThan": "f0c0a681ffb77b8c5290c88c02d968199663939b",
"status": "affected",
"version": "38253464bc821d6de6bba81bb1412ebb36f6cbd1",
"versionType": "git"
},
{
"lessThan": "0d5c9e901ad40bd39b38e119c0454b52d7663930",
"status": "affected",
"version": "38253464bc821d6de6bba81bb1412ebb36f6cbd1",
"versionType": "git"
},
{
"lessThan": "c2296a1e42418556efbeb5636c4fa6aa6106713a",
"status": "affected",
"version": "38253464bc821d6de6bba81bb1412ebb36f6cbd1",
"versionType": "git"
},
{
"status": "affected",
"version": "15141adf85b14a7cff7abba1cb983f0bf17e3b36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kexec/core_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kexec: Enable SMT before waking offline CPUs\n\nIf SMT is disabled or a partial SMT state is enabled, when a new kernel\nimage is loaded for kexec, on reboot the following warning is observed:\n\nkexec: Waking offline cpu 228.\nWARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc\n[snip]\n NIP kexec_prepare_cpus+0x1b0/0x1bc\n LR kexec_prepare_cpus+0x1a0/0x1bc\n Call Trace:\n kexec_prepare_cpus+0x1a0/0x1bc (unreliable)\n default_machine_kexec+0x160/0x19c\n machine_kexec+0x80/0x88\n kernel_kexec+0xd0/0x118\n __do_sys_reboot+0x210/0x2c4\n system_call_exception+0x124/0x320\n system_call_vectored_common+0x15c/0x2ec\n\nThis occurs as add_cpu() fails due to cpu_bootable() returning false for\nCPUs that fail the cpu_smt_thread_allowed() check or non primary\nthreads if SMT is disabled.\n\nFix the issue by enabling SMT and resetting the number of SMT threads to\nthe number of threads per core, before attempting to wake up all present\nCPUs."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:14.133Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7cccd82a0e4aad192fd74fc60e61ed9aed5857a3"
},
{
"url": "https://git.kernel.org/stable/c/d790ef0c4819424ee0c2f448c0a8154c5ca369d1"
},
{
"url": "https://git.kernel.org/stable/c/f0c0a681ffb77b8c5290c88c02d968199663939b"
},
{
"url": "https://git.kernel.org/stable/c/0d5c9e901ad40bd39b38e119c0454b52d7663930"
},
{
"url": "https://git.kernel.org/stable/c/c2296a1e42418556efbeb5636c4fa6aa6106713a"
}
],
"title": "powerpc/kexec: Enable SMT before waking offline CPUs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71119",
"datePublished": "2026-01-14T15:06:06.536Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:14.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40083 (GCVE-0-2025-40083)
Vulnerability from cvelistv5
Published
2025-10-29 13:37
Modified
2026-01-02 15:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix null-deref in agg_dequeue
To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)
when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return
value before using it, similar to the existing approach in sch_hfsc.c.
To avoid code duplication, the following changes are made:
1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static
inline function.
2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to
include/net/pkt_sched.h so that sch_qfq can reuse it.
3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71d84658a61322e5630c85c5388fc25e4a2d08b2",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "99fc137f178797204d36ac860dd8b31e35baa2df",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "1bed56f089f09b465420bf23bb32985c305cfc28",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "3c2a8994807623c7655ece205667ae2cf74940aa",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "6ffa9d66187188e3068b5a3895e6ae1ee34f9199",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "6ff8e74c8f8a68ec07ef837b95425dfe900d060f",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "dd831ac8221e691e9e918585b1003c7071df0379",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.116",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.116",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix null-deref in agg_dequeue\n\nTo prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)\nwhen cl-\u003eqdisc-\u003eops-\u003epeek(cl-\u003eqdisc) returns NULL, we check the return\nvalue before using it, similar to the existing approach in sch_hfsc.c.\n\nTo avoid code duplication, the following changes are made:\n\n1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static\ninline function.\n\n2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to\ninclude/net/pkt_sched.h so that sch_qfq can reuse it.\n\n3. Applied qdisc_peek_len in agg_dequeue to avoid crashing."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:57.767Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71d84658a61322e5630c85c5388fc25e4a2d08b2"
},
{
"url": "https://git.kernel.org/stable/c/99fc137f178797204d36ac860dd8b31e35baa2df"
},
{
"url": "https://git.kernel.org/stable/c/1bed56f089f09b465420bf23bb32985c305cfc28"
},
{
"url": "https://git.kernel.org/stable/c/3c2a8994807623c7655ece205667ae2cf74940aa"
},
{
"url": "https://git.kernel.org/stable/c/6ffa9d66187188e3068b5a3895e6ae1ee34f9199"
},
{
"url": "https://git.kernel.org/stable/c/6ff8e74c8f8a68ec07ef837b95425dfe900d060f"
},
{
"url": "https://git.kernel.org/stable/c/dd831ac8221e691e9e918585b1003c7071df0379"
}
],
"title": "net/sched: sch_qfq: Fix null-deref in agg_dequeue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40083",
"datePublished": "2025-10-29T13:37:01.868Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2026-01-02T15:32:57.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68765 (GCVE-0-2025-68765)
Vulnerability from cvelistv5
Published
2026-01-05 09:44
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the
subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function
returns an error without freeing sskb, leading to a memory leak.
Fix this by calling dev_kfree_skb() on sskb in the error handling path
to ensure it is properly released.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 99c457d902cf90bdc0df5d57e6156ec108711068 Version: 99c457d902cf90bdc0df5d57e6156ec108711068 Version: 99c457d902cf90bdc0df5d57e6156ec108711068 Version: 99c457d902cf90bdc0df5d57e6156ec108711068 Version: 99c457d902cf90bdc0df5d57e6156ec108711068 Version: 99c457d902cf90bdc0df5d57e6156ec108711068 Version: 99c457d902cf90bdc0df5d57e6156ec108711068 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6c91fc732698642f70c688324c98551b97b412c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "594ff8bb69e239678a8baa461827ce4bb90eff8f",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "1c3c234af9407256ed670c8752923a672eea4225",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "278bfed4529a0c9c9119f5a52ddafe69db61a75c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "fb905e69941b44e03fe1a24e95328d45442b6d6d",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "53d1548612670aa8b5d89745116cc33d9d172863",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()\n\nIn mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the\nsubsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function\nreturns an error without freeing sskb, leading to a memory leak.\n\nFix this by calling dev_kfree_skb() on sskb in the error handling path\nto ensure it is properly released."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:10.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6c91fc732698642f70c688324c98551b97b412c"
},
{
"url": "https://git.kernel.org/stable/c/594ff8bb69e239678a8baa461827ce4bb90eff8f"
},
{
"url": "https://git.kernel.org/stable/c/1c3c234af9407256ed670c8752923a672eea4225"
},
{
"url": "https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c"
},
{
"url": "https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d"
},
{
"url": "https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49"
},
{
"url": "https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863"
}
],
"title": "mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68765",
"datePublished": "2026-01-05T09:44:13.242Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:10.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68811 (GCVE-0-2025-68811)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
svcrdma: use rc_pageoff for memcpy byte offset
svc_rdma_copy_inline_range added rc_curpage (page index) to the page
base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
land within the current page.
Found by ZeroPath (https://zeropath.com)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8623e9c451e23d84b870811f42fd872b4089ef6",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
},
{
"lessThan": "2a77c8dd49bccf0ca232be7c836cec1209abb8da",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
},
{
"lessThan": "a8ee9099f30654917aa68f55d707b5627e1dbf77",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: use rc_pageoff for memcpy byte offset\n\nsvc_rdma_copy_inline_range added rc_curpage (page index) to the page\nbase instead of the byte offset rc_pageoff. Use rc_pageoff so copies\nland within the current page.\n\nFound by ZeroPath (https://zeropath.com)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:00.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8623e9c451e23d84b870811f42fd872b4089ef6"
},
{
"url": "https://git.kernel.org/stable/c/2a77c8dd49bccf0ca232be7c836cec1209abb8da"
},
{
"url": "https://git.kernel.org/stable/c/a8ee9099f30654917aa68f55d707b5627e1dbf77"
}
],
"title": "svcrdma: use rc_pageoff for memcpy byte offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68811",
"datePublished": "2026-01-13T15:29:17.128Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:00.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71122 (GCVE-0-2025-71122)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
syzkaller found it could overflow math in the test infrastructure and
cause a WARN_ON by corrupting the reserved interval tree. This only
effects test kernels with CONFIG_IOMMUFD_TEST.
Validate the user input length in the test ioctl.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/selftest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cc829d61f10c20523fd4085c1546e741a792a97",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
},
{
"lessThan": "e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
},
{
"lessThan": "b166b8e0a381429fefd9180e67fbc834b3cee82f",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
},
{
"lessThan": "e6a973af11135439de32ece3b9cbe3bfc043bea8",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/selftest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED\n\nsyzkaller found it could overflow math in the test infrastructure and\ncause a WARN_ON by corrupting the reserved interval tree. This only\neffects test kernels with CONFIG_IOMMUFD_TEST.\n\nValidate the user input length in the test ioctl."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:17.338Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cc829d61f10c20523fd4085c1546e741a792a97"
},
{
"url": "https://git.kernel.org/stable/c/e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925"
},
{
"url": "https://git.kernel.org/stable/c/b166b8e0a381429fefd9180e67fbc834b3cee82f"
},
{
"url": "https://git.kernel.org/stable/c/e6a973af11135439de32ece3b9cbe3bfc043bea8"
}
],
"title": "iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71122",
"datePublished": "2026-01-14T15:06:08.556Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:17.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23202 (GCVE-0-2026-23202)
Vulnerability from cvelistv5
Published
2026-02-14 16:27
Modified
2026-02-14 16:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
The curr_xfer field is read by the IRQ handler without holding the lock
to check if a transfer is in progress. When clearing curr_xfer in the
combined sequence transfer loop, protect it with the spinlock to prevent
a race with the interrupt handler.
Protect the curr_xfer clearing at the exit path of
tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race
with the interrupt handler that reads this field.
Without this protection, the IRQ handler could read a partially updated
curr_xfer value, leading to NULL pointer dereference or use-after-free.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 88db8bb7ed1bb474618acdf05ebd4f0758d244e2 Version: 83309dd551cfd60a5a1a98d9cab19f435b44d46d Version: c934e40246da2c5726d14e94719c514e30840df8 Version: 551060efb156c50fe33799038ba8145418cfdeef Version: 01bbf25c767219b14c3235bfa85906b8d2cb8fbc Version: b4e002d8a7cee3b1d70efad0e222567f92a73000 Version: bb0c58be84f907285af45657c1d4847b960a12bf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fa4262a80f751d14a6a39d2c03f57db68da2618",
"status": "affected",
"version": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"versionType": "git"
},
{
"lessThan": "762e2ce71c8f0238e9eaf05d14da803d9a24422f",
"status": "affected",
"version": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"versionType": "git"
},
{
"lessThan": "712cde8d916889e282727cdf304a43683adf899e",
"status": "affected",
"version": "c934e40246da2c5726d14e94719c514e30840df8",
"versionType": "git"
},
{
"lessThan": "6fd446178a610a48e80e5c5b487b0707cd01daac",
"status": "affected",
"version": "551060efb156c50fe33799038ba8145418cfdeef",
"versionType": "git"
},
{
"lessThan": "3bc293d5b56502068481478842f57b3d96e432c7",
"status": "affected",
"version": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"versionType": "git"
},
{
"lessThan": "bf4528ab28e2bf112c3a2cdef44fd13f007781cd",
"status": "affected",
"version": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"versionType": "git"
},
{
"status": "affected",
"version": "bb0c58be84f907285af45657c1d4847b960a12bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.200",
"status": "affected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThan": "6.1.163",
"status": "affected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThan": "6.12.70",
"status": "affected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThan": "6.18.10",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer\n\nThe curr_xfer field is read by the IRQ handler without holding the lock\nto check if a transfer is in progress. When clearing curr_xfer in the\ncombined sequence transfer loop, protect it with the spinlock to prevent\na race with the interrupt handler.\n\nProtect the curr_xfer clearing at the exit path of\ntegra_qspi_combined_seq_xfer() with the spinlock to prevent a race\nwith the interrupt handler that reads this field.\n\nWithout this protection, the IRQ handler could read a partially updated\ncurr_xfer value, leading to NULL pointer dereference or use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:26.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fa4262a80f751d14a6a39d2c03f57db68da2618"
},
{
"url": "https://git.kernel.org/stable/c/762e2ce71c8f0238e9eaf05d14da803d9a24422f"
},
{
"url": "https://git.kernel.org/stable/c/712cde8d916889e282727cdf304a43683adf899e"
},
{
"url": "https://git.kernel.org/stable/c/6fd446178a610a48e80e5c5b487b0707cd01daac"
},
{
"url": "https://git.kernel.org/stable/c/3bc293d5b56502068481478842f57b3d96e432c7"
},
{
"url": "https://git.kernel.org/stable/c/bf4528ab28e2bf112c3a2cdef44fd13f007781cd"
}
],
"title": "spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23202",
"datePublished": "2026-02-14T16:27:26.365Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:26.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40258 (GCVE-0-2025-40258)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix race condition in mptcp_schedule_work()
syzbot reported use-after-free in mptcp_schedule_work() [1]
Issue here is that mptcp_schedule_work() schedules a work,
then gets a refcount on sk->sk_refcnt if the work was scheduled.
This refcount will be released by mptcp_worker().
[A] if (schedule_work(...)) {
[B] sock_hold(sk);
return true;
}
Problem is that mptcp_worker() can run immediately and complete before [B]
We need instead :
sock_hold(sk);
if (schedule_work(...))
return true;
sock_put(sk);
[1]
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
sock_hold include/net/sock.h:816 [inline]
mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943
mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x648/0x970 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3b1d6210a9577369103330b0d802b0bf74b65e7f Version: 3b1d6210a9577369103330b0d802b0bf74b65e7f Version: 3b1d6210a9577369103330b0d802b0bf74b65e7f Version: 3b1d6210a9577369103330b0d802b0bf74b65e7f Version: 3b1d6210a9577369103330b0d802b0bf74b65e7f Version: 3b1d6210a9577369103330b0d802b0bf74b65e7f Version: 3b1d6210a9577369103330b0d802b0bf74b65e7f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f865e6595acf33083168db76921e66ace8bf0e5b",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "99908e2d601236842d705d5fd04fb349577316f5",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "db4f7968a75250ca6c4ed70d0a78beabb2dcee18",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "8f9ba1a99a89feef9b5867c15a0141a97e893309",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "ac28dfddedf6f209190950fc71bcff65ec4ab47b",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "3fc7723ed01d1130d4bf7063c50e0af60ecccbb4",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "035bca3f017ee9dea3a5a756e77a6f7138cc6eea",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race condition in mptcp_schedule_work()\n\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\n\nIssue here is that mptcp_schedule_work() schedules a work,\nthen gets a refcount on sk-\u003esk_refcnt if the work was scheduled.\nThis refcount will be released by mptcp_worker().\n\n[A] if (schedule_work(...)) {\n[B] sock_hold(sk);\n return true;\n }\n\nProblem is that mptcp_worker() can run immediately and complete before [B]\n\nWe need instead :\n\n sock_hold(sk);\n if (schedule_work(...))\n return true;\n sock_put(sk);\n\n[1]\nrefcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\nCall Trace:\n \u003cTASK\u003e\n __refcount_add include/linux/refcount.h:-1 [inline]\n __refcount_inc include/linux/refcount.h:366 [inline]\n refcount_inc include/linux/refcount.h:383 [inline]\n sock_hold include/net/sock.h:816 [inline]\n mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\n mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n expire_timers kernel/time/timer.c:1798 [inline]\n __run_timers kernel/time/timer.c:2372 [inline]\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n run_timer_base kernel/time/timer.c:2393 [inline]\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n __do_softirq kernel/softirq.c:656 [inline]\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1138\n smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:56.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f865e6595acf33083168db76921e66ace8bf0e5b"
},
{
"url": "https://git.kernel.org/stable/c/99908e2d601236842d705d5fd04fb349577316f5"
},
{
"url": "https://git.kernel.org/stable/c/db4f7968a75250ca6c4ed70d0a78beabb2dcee18"
},
{
"url": "https://git.kernel.org/stable/c/8f9ba1a99a89feef9b5867c15a0141a97e893309"
},
{
"url": "https://git.kernel.org/stable/c/ac28dfddedf6f209190950fc71bcff65ec4ab47b"
},
{
"url": "https://git.kernel.org/stable/c/3fc7723ed01d1130d4bf7063c50e0af60ecccbb4"
},
{
"url": "https://git.kernel.org/stable/c/035bca3f017ee9dea3a5a756e77a6f7138cc6eea"
}
],
"title": "mptcp: fix race condition in mptcp_schedule_work()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40258",
"datePublished": "2025-12-04T16:08:19.176Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:38:56.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68328 (GCVE-0-2025-68328)
Vulnerability from cvelistv5
Published
2025-12-22 16:12
Modified
2025-12-22 16:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: stratix10-svc: fix bug in saving controller data
Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They
both are of the same data and overrides each other. This resulted in the
rmmod of the svc driver to fail and throw a kernel panic for kthread_stop
and fifo free.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b5dc75c915cdaebab9b9875022e45638d6b14a7e Version: b5dc75c915cdaebab9b9875022e45638d6b14a7e Version: b5dc75c915cdaebab9b9875022e45638d6b14a7e Version: b5dc75c915cdaebab9b9875022e45638d6b14a7e Version: b5dc75c915cdaebab9b9875022e45638d6b14a7e Version: b5dc75c915cdaebab9b9875022e45638d6b14a7e Version: b5dc75c915cdaebab9b9875022e45638d6b14a7e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d0a330abd9e49bcebf6307aac185081bde49a43",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "354fb03002da0970d337f0d3edbeb46cc4fa6f41",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "b359df793f609b1efce31dadfe6883ec73852619",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "71796c91ee8e33faf4434a9e210b5063c28ea907",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "60ab1851614e6007344042b66da6e31d1cc26cb3",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "bd226fa02ed6db6fce0fae010802f0950fd14fb9",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "d0fcf70c680e4d1669fcb3a8632f41400b9a73c2",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: fix bug in saving controller data\n\nFix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They\nboth are of the same data and overrides each other. This resulted in the\nrmmod of the svc driver to fail and throw a kernel panic for kthread_stop\nand fifo free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:00.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d0a330abd9e49bcebf6307aac185081bde49a43"
},
{
"url": "https://git.kernel.org/stable/c/354fb03002da0970d337f0d3edbeb46cc4fa6f41"
},
{
"url": "https://git.kernel.org/stable/c/b359df793f609b1efce31dadfe6883ec73852619"
},
{
"url": "https://git.kernel.org/stable/c/71796c91ee8e33faf4434a9e210b5063c28ea907"
},
{
"url": "https://git.kernel.org/stable/c/60ab1851614e6007344042b66da6e31d1cc26cb3"
},
{
"url": "https://git.kernel.org/stable/c/bd226fa02ed6db6fce0fae010802f0950fd14fb9"
},
{
"url": "https://git.kernel.org/stable/c/d0fcf70c680e4d1669fcb3a8632f41400b9a73c2"
}
],
"title": "firmware: stratix10-svc: fix bug in saving controller data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68328",
"datePublished": "2025-12-22T16:12:22.218Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:00.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71113 (GCVE-0-2025-71113)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Several crypto user API contexts and requests allocated with
sock_kmalloc() were left uninitialized, relying on callers to
set fields explicitly. This resulted in the use of uninitialized
data in certain error paths or when new fields are added in the
future.
The ACVP patches also contain two user-space interface files:
algif_kpp.c and algif_akcipher.c. These too rely on proper
initialization of their context structures.
A particular issue has been observed with the newly added
'inflight' variable introduced in af_alg_ctx by commit:
67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Because the context is not memset to zero after allocation,
the inflight variable has contained garbage values. As a result,
af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when
the garbage value was interpreted as true:
https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209
The check directly tests ctx->inflight without explicitly
comparing against true/false. Since inflight is only ever set to
true or false later, an uninitialized value has triggered
-EBUSY failures. Zero-initializing memory allocated with
sock_kmalloc() ensures inflight and other fields start in a known
state, removing random issues caused by uninitialized data.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_hash.c",
"crypto/algif_rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e125c8e346e4eb7b3e854c862fcb4392bc13ddba",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "543bf004e4eafbb302b1e6c78570d425d2ca13a0",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "f81244fd6b14fecfa93b66b6bb1d59f96554e550",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "84238876e3b3b262cf62d5f4d1338e983fb27010",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "5a4b65523608974a81edbe386f8a667a3e10c726",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "51a5ab36084f3251ef87eda3e6a6236f6488925e",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
},
{
"lessThan": "6f6e309328d53a10c0fe1f77dec2db73373179b6",
"status": "affected",
"version": "fe869cdb89c95d060c77eea20204d6c91f233b53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_hash.c",
"crypto/algif_rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - zero initialize memory allocated via sock_kmalloc\n\nSeveral crypto user API contexts and requests allocated with\nsock_kmalloc() were left uninitialized, relying on callers to\nset fields explicitly. This resulted in the use of uninitialized\ndata in certain error paths or when new fields are added in the\nfuture.\n\nThe ACVP patches also contain two user-space interface files:\nalgif_kpp.c and algif_akcipher.c. These too rely on proper\ninitialization of their context structures.\n\nA particular issue has been observed with the newly added\n\u0027inflight\u0027 variable introduced in af_alg_ctx by commit:\n\n 67b164a871af (\"crypto: af_alg - Disallow multiple in-flight AIO requests\")\n\nBecause the context is not memset to zero after allocation,\nthe inflight variable has contained garbage values. As a result,\naf_alg_alloc_areq() has incorrectly returned -EBUSY randomly when\nthe garbage value was interpreted as true:\n\n https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209\n\nThe check directly tests ctx-\u003einflight without explicitly\ncomparing against true/false. Since inflight is only ever set to\ntrue or false later, an uninitialized value has triggered\n-EBUSY failures. Zero-initializing memory allocated with\nsock_kmalloc() ensures inflight and other fields start in a known\nstate, removing random issues caused by uninitialized data."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:07.779Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba"
},
{
"url": "https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0"
},
{
"url": "https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550"
},
{
"url": "https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010"
},
{
"url": "https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726"
},
{
"url": "https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e"
},
{
"url": "https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6"
}
],
"title": "crypto: af_alg - zero initialize memory allocated via sock_kmalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71113",
"datePublished": "2026-01-14T15:05:59.992Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:07.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68261 (GCVE-0-2025-68261)
Vulnerability from cvelistv5
Published
2025-12-16 14:45
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
Fix a race between inline data destruction and block mapping.
The function ext4_destroy_inline_data_nolock() changes the inode data
layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.
At the same time, another thread may execute ext4_map_blocks(), which
tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()
or ext4_ind_map_blocks().
Without i_data_sem protection, ext4_ind_map_blocks() may receive inode
with EXT4_INODE_EXTENTS flag and triggering assert.
kernel BUG at fs/ext4/indirect.c:546!
EXT4-fs (loop2): unmounting filesystem.
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546
Call Trace:
<TASK>
ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681
_ext4_get_block+0x242/0x590 fs/ext4/inode.c:822
ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124
ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255
ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000
generic_perform_write+0x259/0x5d0 mm/filemap.c:3846
ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285
ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679
call_write_iter include/linux/fs.h:2271 [inline]
do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735
do_iter_write+0x186/0x710 fs/read_write.c:861
vfs_iter_write+0x70/0xa0 fs/read_write.c:902
iter_file_splice_write+0x73b/0xc90 fs/splice.c:685
do_splice_from fs/splice.c:763 [inline]
direct_splice_actor+0x10f/0x170 fs/splice.c:950
splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896
do_splice_direct+0x1a9/0x280 fs/splice.c:1002
do_sendfile+0xb13/0x12c0 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c755e251357a0cee0679081f08c3f4ba797a8009 Version: c755e251357a0cee0679081f08c3f4ba797a8009 Version: c755e251357a0cee0679081f08c3f4ba797a8009 Version: c755e251357a0cee0679081f08c3f4ba797a8009 Version: c755e251357a0cee0679081f08c3f4ba797a8009 Version: c755e251357a0cee0679081f08c3f4ba797a8009 Version: c755e251357a0cee0679081f08c3f4ba797a8009 Version: c755e251357a0cee0679081f08c3f4ba797a8009 Version: 3e96c3fdcfccb321a9e1623f78cc71b44593e965 Version: 5781ac24bbd998ebb1ff30143bb06244d847af48 Version: 9b06cce3ca4d60d442c39bfa7c058b71b1cee6c2 Version: da1e40237f8f3516581b534c484c236a79ccfd14 Version: 7cf6b709b6412afd1d93b2c4b37163c3602e3b95 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b322bac9f01d03190b5abc52be5d9dd9f22a2b41",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "61e03dc3794ebf77a706b85e5a36c9c6d70be6de",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "5b266cf6851ce72b11b067fe02adf5a8687104ad",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "144c48da33a01d92995aeccd8208eb47d2a8e659",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "22a76b0861ae61a299c8e126c1aca8c4fda820fd",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "ba8aeff294ac7ff6dfe293663d815c54c5ee218c",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "5cad18e527ba8a9ca5463cc170073eeb5a4826f4",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"lessThan": "0cd8feea8777f8d9b9a862b89c688b049a5c8475",
"status": "affected",
"version": "c755e251357a0cee0679081f08c3f4ba797a8009",
"versionType": "git"
},
{
"status": "affected",
"version": "3e96c3fdcfccb321a9e1623f78cc71b44593e965",
"versionType": "git"
},
{
"status": "affected",
"version": "5781ac24bbd998ebb1ff30143bb06244d847af48",
"versionType": "git"
},
{
"status": "affected",
"version": "9b06cce3ca4d60d442c39bfa7c058b71b1cee6c2",
"versionType": "git"
},
{
"status": "affected",
"version": "da1e40237f8f3516581b534c484c236a79ccfd14",
"versionType": "git"
},
{
"status": "affected",
"version": "7cf6b709b6412afd1d93b2c4b37163c3602e3b95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add i_data_sem protection in ext4_destroy_inline_data_nolock()\n\nFix a race between inline data destruction and block mapping.\n\nThe function ext4_destroy_inline_data_nolock() changes the inode data\nlayout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.\nAt the same time, another thread may execute ext4_map_blocks(), which\ntests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()\nor ext4_ind_map_blocks().\n\nWithout i_data_sem protection, ext4_ind_map_blocks() may receive inode\nwith EXT4_INODE_EXTENTS flag and triggering assert.\n\nkernel BUG at fs/ext4/indirect.c:546!\nEXT4-fs (loop2): unmounting filesystem.\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546\n\nCall Trace:\n \u003cTASK\u003e\n ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681\n _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822\n ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124\n ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255\n ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000\n generic_perform_write+0x259/0x5d0 mm/filemap.c:3846\n ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285\n ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679\n call_write_iter include/linux/fs.h:2271 [inline]\n do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10f/0x170 fs/splice.c:950\n splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:20.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b322bac9f01d03190b5abc52be5d9dd9f22a2b41"
},
{
"url": "https://git.kernel.org/stable/c/61e03dc3794ebf77a706b85e5a36c9c6d70be6de"
},
{
"url": "https://git.kernel.org/stable/c/5b266cf6851ce72b11b067fe02adf5a8687104ad"
},
{
"url": "https://git.kernel.org/stable/c/144c48da33a01d92995aeccd8208eb47d2a8e659"
},
{
"url": "https://git.kernel.org/stable/c/22a76b0861ae61a299c8e126c1aca8c4fda820fd"
},
{
"url": "https://git.kernel.org/stable/c/ba8aeff294ac7ff6dfe293663d815c54c5ee218c"
},
{
"url": "https://git.kernel.org/stable/c/5cad18e527ba8a9ca5463cc170073eeb5a4826f4"
},
{
"url": "https://git.kernel.org/stable/c/0cd8feea8777f8d9b9a862b89c688b049a5c8475"
}
],
"title": "ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68261",
"datePublished": "2025-12-16T14:45:03.252Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:20.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71130 (GCVE-0-2025-71130)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer
Initialize the eb.vma array with values of 0 when the eb structure is
first set up. In particular, this sets the eb->vma[i].vma pointers to
NULL, simplifying cleanup and getting rid of the bug described below.
During the execution of eb_lookup_vmas(), the eb->vma array is
successively filled up with struct eb_vma objects. This process includes
calling eb_add_vma(), which might fail; however, even in the event of
failure, eb->vma[i].vma is set for the currently processed buffer.
If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which
prompts a call to eb_release_vmas() to clean up the mess. Since
eb_lookup_vmas() might fail during processing any (possibly not first)
buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know
at what point did the lookup function fail.
In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper
function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is
set to NULL in case i915_gem_object_userptr_submit_init() fails; the
current one needs to be cleaned up by eb_release_vmas() at this point,
so the next one is set. If eb_add_vma() fails, neither the current nor
the next vma is set to NULL, which is a source of a NULL deref bug
described in the issue linked in the Closes tag.
When entering eb_lookup_vmas(), the vma pointers are set to the slab
poison value, instead of NULL. This doesn't matter for the actual
lookup, since it gets overwritten anyway, however the eb_release_vmas()
function only recognizes NULL as the stopping value, hence the pointers
are being set to NULL as they go in case of intermediate failure. This
patch changes the approach to filling them all with NULL at the start
instead, rather than handling that manually during failure.
(cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25d69e07770745992387c016613fd7ac8eaf9893",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
},
{
"lessThan": "0336188cc85d0eab8463bd1bbd4ded4e9602de8b",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
},
{
"lessThan": "24d55ac8e31d2f8197bfad71ffcb3bae21ed7117",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
},
{
"lessThan": "63f23aa2fbb823c8b15a29269fde220d227ce5b3",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
},
{
"lessThan": "4fe2bd195435e71c117983d87f278112c5ab364c",
"status": "affected",
"version": "544460c33821b44c2f0c643121303c3dc3f66ef1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer\n\nInitialize the eb.vma array with values of 0 when the eb structure is\nfirst set up. In particular, this sets the eb-\u003evma[i].vma pointers to\nNULL, simplifying cleanup and getting rid of the bug described below.\n\nDuring the execution of eb_lookup_vmas(), the eb-\u003evma array is\nsuccessively filled up with struct eb_vma objects. This process includes\ncalling eb_add_vma(), which might fail; however, even in the event of\nfailure, eb-\u003evma[i].vma is set for the currently processed buffer.\n\nIf eb_add_vma() fails, eb_lookup_vmas() returns with an error, which\nprompts a call to eb_release_vmas() to clean up the mess. Since\neb_lookup_vmas() might fail during processing any (possibly not first)\nbuffer, eb_release_vmas() checks whether a buffer\u0027s vma is NULL to know\nat what point did the lookup function fail.\n\nIn eb_lookup_vmas(), eb-\u003evma[i].vma is set to NULL if either the helper\nfunction eb_lookup_vma() or eb_validate_vma() fails. eb-\u003evma[i+1].vma is\nset to NULL in case i915_gem_object_userptr_submit_init() fails; the\ncurrent one needs to be cleaned up by eb_release_vmas() at this point,\nso the next one is set. If eb_add_vma() fails, neither the current nor\nthe next vma is set to NULL, which is a source of a NULL deref bug\ndescribed in the issue linked in the Closes tag.\n\nWhen entering eb_lookup_vmas(), the vma pointers are set to the slab\npoison value, instead of NULL. This doesn\u0027t matter for the actual\nlookup, since it gets overwritten anyway, however the eb_release_vmas()\nfunction only recognizes NULL as the stopping value, hence the pointers\nare being set to NULL as they go in case of intermediate failure. This\npatch changes the approach to filling them all with NULL at the start\ninstead, rather than handling that manually during failure.\n\n(cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:26.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25d69e07770745992387c016613fd7ac8eaf9893"
},
{
"url": "https://git.kernel.org/stable/c/0336188cc85d0eab8463bd1bbd4ded4e9602de8b"
},
{
"url": "https://git.kernel.org/stable/c/24d55ac8e31d2f8197bfad71ffcb3bae21ed7117"
},
{
"url": "https://git.kernel.org/stable/c/63f23aa2fbb823c8b15a29269fde220d227ce5b3"
},
{
"url": "https://git.kernel.org/stable/c/4fe2bd195435e71c117983d87f278112c5ab364c"
}
],
"title": "drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71130",
"datePublished": "2026-01-14T15:07:46.508Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:26.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40215 (GCVE-0-2025-40215)
Vulnerability from cvelistv5
Published
2025-12-04 12:38
Modified
2026-01-19 12:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: delete x->tunnel as we delete x
The ipcomp fallback tunnels currently get deleted (from the various
lists and hashtables) as the last user state that needed that fallback
is destroyed (not deleted). If a reference to that user state still
exists, the fallback state will remain on the hashtables/lists,
triggering the WARN in xfrm_state_fini. Because of those remaining
references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path") is not complete.
We recently fixed one such situation in TCP due to defered freeing of
skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we
currently drop dst")). This can also happen due to IP reassembly: skbs
with a secpath remain on the reassembly queue until netns
destruction. If we can't guarantee that the queues are flushed by the
time xfrm_state_fini runs, there may still be references to a (user)
xfrm_state, preventing the timely deletion of the corresponding
fallback state.
Instead of chasing each instance of skbs holding a secpath one by one,
this patch fixes the issue directly within xfrm, by deleting the
fallback state as soon as the last user state depending on it has been
deleted. Destruction will still happen when the final reference is
dropped.
A separate lockdep class for the fallback state is required since
we're going to lock x->tunnel while x is locked.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab Version: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab Version: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab Version: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab Version: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab Version: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/xfrm.h",
"net/ipv4/ipcomp.c",
"net/ipv6/ipcomp6.c",
"net/ipv6/xfrm6_tunnel.c",
"net/xfrm/xfrm_ipcomp.c",
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b28a7fae0128fa140a7dccd995182ff6cd1c67b",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "4b2c17d0f9be8b58bb30468bc81a4b61c985b04e",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "0da961fa46da1b37ef868d9b603bd202136f8f8e",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "d0e0d1097118461463b76562c7ebaabaa5b90b13",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "dc3636912d41770466543623cb76e7b88fdb42c7",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/xfrm.h",
"net/ipv4/ipcomp.c",
"net/ipv6/ipcomp6.c",
"net/ipv6/xfrm6_tunnel.c",
"net/xfrm/xfrm_ipcomp.c",
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: delete x-\u003etunnel as we delete x\n\nThe ipcomp fallback tunnels currently get deleted (from the various\nlists and hashtables) as the last user state that needed that fallback\nis destroyed (not deleted). If a reference to that user state still\nexists, the fallback state will remain on the hashtables/lists,\ntriggering the WARN in xfrm_state_fini. Because of those remaining\nreferences, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state\nsynchronously on net exit path\") is not complete.\n\nWe recently fixed one such situation in TCP due to defered freeing of\nskbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we\ncurrently drop dst\")). This can also happen due to IP reassembly: skbs\nwith a secpath remain on the reassembly queue until netns\ndestruction. If we can\u0027t guarantee that the queues are flushed by the\ntime xfrm_state_fini runs, there may still be references to a (user)\nxfrm_state, preventing the timely deletion of the corresponding\nfallback state.\n\nInstead of chasing each instance of skbs holding a secpath one by one,\nthis patch fixes the issue directly within xfrm, by deleting the\nfallback state as soon as the last user state depending on it has been\ndeleted. Destruction will still happen when the final reference is\ndropped.\n\nA separate lockdep class for the fallback state is required since\nwe\u0027re going to lock x-\u003etunnel while x is locked."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:05.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b28a7fae0128fa140a7dccd995182ff6cd1c67b"
},
{
"url": "https://git.kernel.org/stable/c/4b2c17d0f9be8b58bb30468bc81a4b61c985b04e"
},
{
"url": "https://git.kernel.org/stable/c/0da961fa46da1b37ef868d9b603bd202136f8f8e"
},
{
"url": "https://git.kernel.org/stable/c/d0e0d1097118461463b76562c7ebaabaa5b90b13"
},
{
"url": "https://git.kernel.org/stable/c/dc3636912d41770466543623cb76e7b88fdb42c7"
},
{
"url": "https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd"
}
],
"title": "xfrm: delete x-\u003etunnel as we delete x",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40215",
"datePublished": "2025-12-04T12:38:32.517Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2026-01-19T12:18:05.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68217 (GCVE-0-2025-68217)
Vulnerability from cvelistv5
Published
2025-12-16 13:57
Modified
2025-12-16 13:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: pegasus-notetaker - fix potential out-of-bounds access
In the pegasus_notetaker driver, the pegasus_probe() function allocates
the URB transfer buffer using the wMaxPacketSize value from
the endpoint descriptor. An attacker can use a malicious USB descriptor
to force the allocation of a very small buffer.
Subsequently, if the device sends an interrupt packet with a specific
pattern (e.g., where the first byte is 0x80 or 0x42),
the pegasus_parse_packet() function parses the packet without checking
the allocated buffer size. This leads to an out-of-bounds memory access.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1afca2b66aac7ac262d3511c68725e9e7053b40f Version: 1afca2b66aac7ac262d3511c68725e9e7053b40f Version: 1afca2b66aac7ac262d3511c68725e9e7053b40f Version: 1afca2b66aac7ac262d3511c68725e9e7053b40f Version: 1afca2b66aac7ac262d3511c68725e9e7053b40f Version: 1afca2b66aac7ac262d3511c68725e9e7053b40f Version: 1afca2b66aac7ac262d3511c68725e9e7053b40f Version: 1afca2b66aac7ac262d3511c68725e9e7053b40f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/tablet/pegasus_notetaker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4e746651bd74c38f581e1cf31651119a94de8cd",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "36bc92b838ff72f62f2c17751a9013b29ead2513",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "015b719962696b793997e8deefac019f816aca77",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "084264e10e2ae8938a54355123ad977eb9df56d6",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "9ab67eff6d654e34ba6da07c64761aa87c2a3c26",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "763c3f4d2394a697d14af1335d3bb42f05c9409f",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "69aeb507312306f73495598a055293fa749d454e",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/tablet/pegasus_notetaker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: pegasus-notetaker - fix potential out-of-bounds access\n\nIn the pegasus_notetaker driver, the pegasus_probe() function allocates\nthe URB transfer buffer using the wMaxPacketSize value from\nthe endpoint descriptor. An attacker can use a malicious USB descriptor\nto force the allocation of a very small buffer.\n\nSubsequently, if the device sends an interrupt packet with a specific\npattern (e.g., where the first byte is 0x80 or 0x42),\nthe pegasus_parse_packet() function parses the packet without checking\nthe allocated buffer size. This leads to an out-of-bounds memory access."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:12.011Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4e746651bd74c38f581e1cf31651119a94de8cd"
},
{
"url": "https://git.kernel.org/stable/c/36bc92b838ff72f62f2c17751a9013b29ead2513"
},
{
"url": "https://git.kernel.org/stable/c/015b719962696b793997e8deefac019f816aca77"
},
{
"url": "https://git.kernel.org/stable/c/084264e10e2ae8938a54355123ad977eb9df56d6"
},
{
"url": "https://git.kernel.org/stable/c/d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479"
},
{
"url": "https://git.kernel.org/stable/c/9ab67eff6d654e34ba6da07c64761aa87c2a3c26"
},
{
"url": "https://git.kernel.org/stable/c/763c3f4d2394a697d14af1335d3bb42f05c9409f"
},
{
"url": "https://git.kernel.org/stable/c/69aeb507312306f73495598a055293fa749d454e"
}
],
"title": "Input: pegasus-notetaker - fix potential out-of-bounds access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68217",
"datePublished": "2025-12-16T13:57:12.011Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2025-12-16T13:57:12.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40243 (GCVE-0-2025-40243)
Vulnerability from cvelistv5
Published
2025-12-04 15:31
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
The syzbot reported issue in hfs_find_set_zero_bits():
=====================================================
BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
__block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
block_write_begin fs/buffer.c:2262 [inline]
cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
cont_expand_zero fs/buffer.c:2528 [inline]
cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
notify_change+0x1993/0x1aa0 fs/attr.c:552
do_truncate+0x28f/0x310 fs/open.c:68
do_ftruncate+0x698/0x730 fs/open.c:195
do_sys_ftruncate fs/open.c:210 [inline]
__do_sys_ftruncate fs/open.c:215 [inline]
__se_sys_ftruncate fs/open.c:213 [inline]
__x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4154 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
__kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
kmalloc_noprof include/linux/slab.h:905 [inline]
hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
get_tree_bdev+0x38/0x50 fs/super.c:1704
hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
do_new_mount+0x738/0x1610 fs/namespace.c:3902
path_mount+0x6db/0x1e90 fs/namespace.c:4226
do_mount fs/namespace.c:4239 [inline]
__do_sys_mount fs/namespace.c:4450 [inline]
__se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
=====================================================
The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
Finally, it can trigger the reported issue because kmalloc()
doesn't clear the allocated memory. If allocated memory contains
only zeros, then everything will work pretty fine.
But if the allocated memory contains the "garbage", then
it can affect the bitmap operations and it triggers
the reported issue.
This patch simply exchanges the kmalloc() on kzalloc()
with the goal to guarantee the correctness of bitmap operations.
Because, newly created allocation bitmap should have all
available blocks free. Potentially, initialization bitmap's read
operation could not fill the whole allocated memory and
"garbage" in the not initialized memory will be the reason of
volume coruptions and file system driver bugs.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/mdb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc56548fca732f3d3692c83b40db796259a03887",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf1683078fbdd09a7f7f9b74121ebaa03432bd00",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a112cdd66f5a132da5235ca31a320528c86bf33",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e148ed5cda8fd96d4620c4622fb02f552a2d166a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfafefcb0e1fc60135f7040f4aed0a4aef4f76ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3b447fd401824e1ccf0b769188edefe866a1e676",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "502fa92a71f344611101bd04ef1a595b8b6014f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/mdb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()\n\nThe syzbot reported issue in hfs_find_set_zero_bits():\n\n=====================================================\nBUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45\n hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45\n hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151\n hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408\n hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353\n __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151\n block_write_begin fs/buffer.c:2262 [inline]\n cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601\n hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52\n cont_expand_zero fs/buffer.c:2528 [inline]\n cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591\n hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52\n hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494\n hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654\n notify_change+0x1993/0x1aa0 fs/attr.c:552\n do_truncate+0x28f/0x310 fs/open.c:68\n do_ftruncate+0x698/0x730 fs/open.c:195\n do_sys_ftruncate fs/open.c:210 [inline]\n __do_sys_ftruncate fs/open.c:215 [inline]\n __se_sys_ftruncate fs/open.c:213 [inline]\n __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213\n x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4154 [inline]\n slab_alloc_node mm/slub.c:4197 [inline]\n __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354\n kmalloc_noprof include/linux/slab.h:905 [inline]\n hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175\n hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337\n get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681\n get_tree_bdev+0x38/0x50 fs/super.c:1704\n hfs_get_tree+0x35/0x40 fs/hfs/super.c:388\n vfs_get_tree+0xb0/0x5c0 fs/super.c:1804\n do_new_mount+0x738/0x1610 fs/namespace.c:3902\n path_mount+0x6db/0x1e90 fs/namespace.c:4226\n do_mount fs/namespace.c:4239 [inline]\n __do_sys_mount fs/namespace.c:4450 [inline]\n __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427\n x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n=====================================================\n\nThe HFS_SB(sb)-\u003ebitmap buffer is allocated in hfs_mdb_get():\n\nHFS_SB(sb)-\u003ebitmap = kmalloc(8192, GFP_KERNEL);\n\nFinally, it can trigger the reported issue because kmalloc()\ndoesn\u0027t clear the allocated memory. If allocated memory contains\nonly zeros, then everything will work pretty fine.\nBut if the allocated memory contains the \"garbage\", then\nit can affect the bitmap operations and it triggers\nthe reported issue.\n\nThis patch simply exchanges the kmalloc() on kzalloc()\nwith the goal to guarantee the correctness of bitmap operations.\nBecause, newly created allocation bitmap should have all\navailable blocks free. Potentially, initialization bitmap\u0027s read\noperation could not fill the whole allocated memory and\n\"garbage\" in the not initialized memory will be the reason of\nvolume coruptions and file system driver bugs."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:12.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc56548fca732f3d3692c83b40db796259a03887"
},
{
"url": "https://git.kernel.org/stable/c/bf1683078fbdd09a7f7f9b74121ebaa03432bd00"
},
{
"url": "https://git.kernel.org/stable/c/2a112cdd66f5a132da5235ca31a320528c86bf33"
},
{
"url": "https://git.kernel.org/stable/c/e148ed5cda8fd96d4620c4622fb02f552a2d166a"
},
{
"url": "https://git.kernel.org/stable/c/cfafefcb0e1fc60135f7040f4aed0a4aef4f76ca"
},
{
"url": "https://git.kernel.org/stable/c/3b447fd401824e1ccf0b769188edefe866a1e676"
},
{
"url": "https://git.kernel.org/stable/c/502fa92a71f344611101bd04ef1a595b8b6014f5"
},
{
"url": "https://git.kernel.org/stable/c/2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd"
}
],
"title": "hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40243",
"datePublished": "2025-12-04T15:31:32.422Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:12.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40282 (GCVE-0-2025-40282)
Vulnerability from cvelistv5
Published
2025-12-06 21:51
Modified
2025-12-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local
header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW
Add missing skb_reset_mac_header() for uncompressed ipv6 RX path.
For the compressed one, it is done in lowpan_header_decompress().
Log: (BlueZ 6lowpan-tester Client Recv Raw - Success)
------
kernel BUG at net/core/skbuff.c:212!
Call Trace:
<IRQ>
...
packet_rcv (net/packet/af_packet.c:2152)
...
<TASK>
__local_bh_enable_ip (kernel/softirq.c:407)
netif_rx (net/core/dev.c:5648)
chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359)
------
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 18722c247023035b9e2e2a08a887adec2a9a6e49 Version: 18722c247023035b9e2e2a08a887adec2a9a6e49 Version: 18722c247023035b9e2e2a08a887adec2a9a6e49 Version: 18722c247023035b9e2e2a08a887adec2a9a6e49 Version: 18722c247023035b9e2e2a08a887adec2a9a6e49 Version: 18722c247023035b9e2e2a08a887adec2a9a6e49 Version: 18722c247023035b9e2e2a08a887adec2a9a6e49 Version: 18722c247023035b9e2e2a08a887adec2a9a6e49 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/6lowpan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea46a1d217bc82e01cf3d0424e50ebfe251e34bf",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "973e0271754c77db3e1b6b69adf2de85a79a4c8b",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "d566e9a2bfc848941b091ffd5f4e12c4e889d818",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "4ebb90c3c309e6375dc3e841af92e2a039843e62",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "c24ac6cfe4f9a47180a65592c47e7a310d2f9d93",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "11cd7e068381666f842ad41d1cc58eecd0c75237",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "70d84e7c3a44b81020a3c3d650a64c63593405bd",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "3b78f50918276ab28fb22eac9aa49401ac436a3b",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/6lowpan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: 6lowpan: reset link-local header on ipv6 recv path\n\nBluetooth 6lowpan.c netdev has header_ops, so it must set link-local\nheader for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW\n\nAdd missing skb_reset_mac_header() for uncompressed ipv6 RX path.\n\nFor the compressed one, it is done in lowpan_header_decompress().\n\nLog: (BlueZ 6lowpan-tester Client Recv Raw - Success)\n------\nkernel BUG at net/core/skbuff.c:212!\nCall Trace:\n\u003cIRQ\u003e\n...\npacket_rcv (net/packet/af_packet.c:2152)\n...\n\u003cTASK\u003e\n__local_bh_enable_ip (kernel/softirq.c:407)\nnetif_rx (net/core/dev.c:5648)\nchan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359)\n------"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:06.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea46a1d217bc82e01cf3d0424e50ebfe251e34bf"
},
{
"url": "https://git.kernel.org/stable/c/973e0271754c77db3e1b6b69adf2de85a79a4c8b"
},
{
"url": "https://git.kernel.org/stable/c/d566e9a2bfc848941b091ffd5f4e12c4e889d818"
},
{
"url": "https://git.kernel.org/stable/c/4ebb90c3c309e6375dc3e841af92e2a039843e62"
},
{
"url": "https://git.kernel.org/stable/c/c24ac6cfe4f9a47180a65592c47e7a310d2f9d93"
},
{
"url": "https://git.kernel.org/stable/c/11cd7e068381666f842ad41d1cc58eecd0c75237"
},
{
"url": "https://git.kernel.org/stable/c/70d84e7c3a44b81020a3c3d650a64c63593405bd"
},
{
"url": "https://git.kernel.org/stable/c/3b78f50918276ab28fb22eac9aa49401ac436a3b"
}
],
"title": "Bluetooth: 6lowpan: reset link-local header on ipv6 recv path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40282",
"datePublished": "2025-12-06T21:51:06.287Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:06.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71123 (GCVE-0-2025-71123)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix string copying in parse_apply_sb_mount_options()
strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term
string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce
memtostr() and memtostr_pad()") provides additional information in that
regard. So if this happens, the following warning is observed:
strnlen: detected buffer overflow: 65 byte read of buffer size 64
WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032
Modules linked in:
CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032
Call Trace:
<TASK>
__fortify_panic+0x1f/0x30 lib/string_helpers.c:1039
strnlen include/linux/fortify-string.h:235 [inline]
sized_strscpy include/linux/fortify-string.h:309 [inline]
parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]
__ext4_fill_super fs/ext4/super.c:5261 [inline]
ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706
get_tree_bdev_flags+0x387/0x620 fs/super.c:1636
vfs_get_tree+0x93/0x380 fs/super.c:1814
do_new_mount fs/namespace.c:3553 [inline]
path_mount+0x6ae/0x1f70 fs/namespace.c:3880
do_mount fs/namespace.c:3893 [inline]
__do_sys_mount fs/namespace.c:4103 [inline]
__se_sys_mount fs/namespace.c:4080 [inline]
__x64_sys_mount+0x280/0x300 fs/namespace.c:4080
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Since userspace is expected to provide s_mount_opts field to be at most 63
characters long with the ending byte being NUL-term, use a 64-byte buffer
which matches the size of s_mount_opts, so that strscpy_pad() does its job
properly. Return with error if the user still managed to provide a
non-NUL-term string here.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b2bac84fde28fb6a88817b8b761abda17a1d300b Version: e651294218d2684302ee5ed95ccf381646f3e5b4 Version: 01829af7656b56d83682b3491265d583d502e502 Version: 2a0cf438320cdb783e0378570744c0ef0d83e934 Version: 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 Version: 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 Version: 7bf46ff83a0ef11836e38ebd72cdc5107209342d Version: a6e94557cd05adc82fae0400f6e17745563e5412 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52ac96c4a2dd7bc47666000440b0602d9742e820",
"status": "affected",
"version": "b2bac84fde28fb6a88817b8b761abda17a1d300b",
"versionType": "git"
},
{
"lessThan": "6e37143560e37869d51b7d9e0ac61fc48895f8a0",
"status": "affected",
"version": "e651294218d2684302ee5ed95ccf381646f3e5b4",
"versionType": "git"
},
{
"lessThan": "902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc",
"status": "affected",
"version": "01829af7656b56d83682b3491265d583d502e502",
"versionType": "git"
},
{
"lessThan": "db9ee13fab0267eccf6544ee35b16c9522db9aac",
"status": "affected",
"version": "2a0cf438320cdb783e0378570744c0ef0d83e934",
"versionType": "git"
},
{
"lessThan": "5bbacbbf1ca4419861dca3c6b82707c10e9c021c",
"status": "affected",
"version": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
"versionType": "git"
},
{
"lessThan": "ee5a977b4e771cc181f39d504426dbd31ed701cc",
"status": "affected",
"version": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
"versionType": "git"
},
{
"status": "affected",
"version": "7bf46ff83a0ef11836e38ebd72cdc5107209342d",
"versionType": "git"
},
{
"status": "affected",
"version": "a6e94557cd05adc82fae0400f6e17745563e5412",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix string copying in parse_apply_sb_mount_options()\n\nstrscpy_pad() can\u0027t be used to copy a non-NUL-term string into a NUL-term\nstring of possibly bigger size. Commit 0efc5990bca5 (\"string.h: Introduce\nmemtostr() and memtostr_pad()\") provides additional information in that\nregard. So if this happens, the following warning is observed:\n\nstrnlen: detected buffer overflow: 65 byte read of buffer size 64\nWARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nModules linked in:\nCPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nCall Trace:\n \u003cTASK\u003e\n __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039\n strnlen include/linux/fortify-string.h:235 [inline]\n sized_strscpy include/linux/fortify-string.h:309 [inline]\n parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]\n __ext4_fill_super fs/ext4/super.c:5261 [inline]\n ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706\n get_tree_bdev_flags+0x387/0x620 fs/super.c:1636\n vfs_get_tree+0x93/0x380 fs/super.c:1814\n do_new_mount fs/namespace.c:3553 [inline]\n path_mount+0x6ae/0x1f70 fs/namespace.c:3880\n do_mount fs/namespace.c:3893 [inline]\n __do_sys_mount fs/namespace.c:4103 [inline]\n __se_sys_mount fs/namespace.c:4080 [inline]\n __x64_sys_mount+0x280/0x300 fs/namespace.c:4080\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSince userspace is expected to provide s_mount_opts field to be at most 63\ncharacters long with the ending byte being NUL-term, use a 64-byte buffer\nwhich matches the size of s_mount_opts, so that strscpy_pad() does its job\nproperly. Return with error if the user still managed to provide a\nnon-NUL-term string here.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:18.369Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820"
},
{
"url": "https://git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0"
},
{
"url": "https://git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc"
},
{
"url": "https://git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac"
},
{
"url": "https://git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c"
},
{
"url": "https://git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc"
}
],
"title": "ext4: fix string copying in parse_apply_sb_mount_options()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71123",
"datePublished": "2026-01-14T15:06:09.246Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:18.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68764 (GCVE-0-2025-68764)
Vulnerability from cvelistv5
Published
2026-01-05 09:44
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
When a filesystem is being automounted, it needs to preserve the
user-set superblock mount options, such as the "ro" flag.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f2aedb713c284429987dc66c7aaf38decfc8da2a Version: f2aedb713c284429987dc66c7aaf38decfc8da2a Version: f2aedb713c284429987dc66c7aaf38decfc8da2a Version: f2aedb713c284429987dc66c7aaf38decfc8da2a Version: f2aedb713c284429987dc66c7aaf38decfc8da2a Version: f2aedb713c284429987dc66c7aaf38decfc8da2a Version: f2aedb713c284429987dc66c7aaf38decfc8da2a Version: f2aedb713c284429987dc66c7aaf38decfc8da2a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/namespace.c",
"fs/nfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3dc6c40bcab1a888d5c0d134ccc0746b4c98929",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "ba1495aefd22fcf0746a2a3025c95d766d7cde4d",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "c09070b4def1b34e473a746c6a5331ccb80902c1",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "dce10c59211e5cd763a62ea01e79b82a629811e3",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "612cc98698d667df804792f0c47d4e501e66da29",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "4b296944e632cf4c6a4cc8e2585c6451eae47b1b",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "df9b003a2ecacc7218486fbb31fe008c93097d5f",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "8675c69816e4276b979ff475ee5fac4688f80125",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/namespace.c",
"fs/nfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags\n\nWhen a filesystem is being automounted, it needs to preserve the\nuser-set superblock mount options, such as the \"ro\" flag."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:09.041Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3dc6c40bcab1a888d5c0d134ccc0746b4c98929"
},
{
"url": "https://git.kernel.org/stable/c/ba1495aefd22fcf0746a2a3025c95d766d7cde4d"
},
{
"url": "https://git.kernel.org/stable/c/c09070b4def1b34e473a746c6a5331ccb80902c1"
},
{
"url": "https://git.kernel.org/stable/c/dce10c59211e5cd763a62ea01e79b82a629811e3"
},
{
"url": "https://git.kernel.org/stable/c/612cc98698d667df804792f0c47d4e501e66da29"
},
{
"url": "https://git.kernel.org/stable/c/4b296944e632cf4c6a4cc8e2585c6451eae47b1b"
},
{
"url": "https://git.kernel.org/stable/c/df9b003a2ecacc7218486fbb31fe008c93097d5f"
},
{
"url": "https://git.kernel.org/stable/c/8675c69816e4276b979ff475ee5fac4688f80125"
}
],
"title": "NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68764",
"datePublished": "2026-01-05T09:44:12.518Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:09.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40026 (GCVE-0-2025-40026)
Vulnerability from cvelistv5
Published
2025-10-28 09:32
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
When completing emulation of instruction that generated a userspace exit
for I/O, don't recheck L1 intercepts as KVM has already finished that
phase of instruction execution, i.e. has already committed to allowing L2
to perform I/O. If L1 (or host userspace) modifies the I/O permission
bitmaps during the exit to userspace, KVM will treat the access as being
intercepted despite already having emulated the I/O access.
Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.
Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the
intended "recipient") can reach the code in question. gp_interception()'s
use is mutually exclusive with is_guest_mode(), and
complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with
EMULTYPE_SKIP.
The bad behavior was detected by a syzkaller program that toggles port I/O
interception during the userspace I/O exit, ultimately resulting in a WARN
on vcpu->arch.pio.count being non-zero due to KVM no completing emulation
of the I/O instruction.
WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]
Modules linked in: kvm_intel kvm irqbypass
CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]
PKRU: 55555554
Call Trace:
<TASK>
kvm_fast_pio+0xd6/0x1d0 [kvm]
vmx_handle_exit+0x149/0x610 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]
kvm_vcpu_ioctl+0x244/0x8c0 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0x5d/0xc60
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 Version: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/emulate.c",
"arch/x86/kvm/kvm_emulate.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a908eca437789589dd4624da428614c1275064dc",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "00338255bb1f422642fb2798ebe92e93b6e4209b",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e0ce3ed1048a47986d15aef1a98ebda25560d257",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "ba35a5d775799ce5ad60230be97336f2fefd518e",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "3d3abf3f7e8b1abb082070a343de82d7efc80523",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e7177c7e32cb806f348387b7f4faafd4a5b32054",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "3a062a5c55adc5507600b9ae6d911e247e2f1d6e",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "7366830642505683bbe905a2ba5d18d6e4b512b8",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e750f85391286a4c8100275516973324b621a269",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/emulate.c",
"arch/x86/kvm/kvm_emulate.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Don\u0027t (re)check L1 intercepts when completing userspace I/O\n\nWhen completing emulation of instruction that generated a userspace exit\nfor I/O, don\u0027t recheck L1 intercepts as KVM has already finished that\nphase of instruction execution, i.e. has already committed to allowing L2\nto perform I/O. If L1 (or host userspace) modifies the I/O permission\nbitmaps during the exit to userspace, KVM will treat the access as being\nintercepted despite already having emulated the I/O access.\n\nPivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.\nOf the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the\nintended \"recipient\") can reach the code in question. gp_interception()\u0027s\nuse is mutually exclusive with is_guest_mode(), and\ncomplete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with\nEMULTYPE_SKIP.\n\nThe bad behavior was detected by a syzkaller program that toggles port I/O\ninterception during the userspace I/O exit, ultimately resulting in a WARN\non vcpu-\u003earch.pio.count being non-zero due to KVM no completing emulation\nof the I/O instruction.\n\n WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n kvm_fast_pio+0xd6/0x1d0 [kvm]\n vmx_handle_exit+0x149/0x610 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]\n kvm_vcpu_ioctl+0x244/0x8c0 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0x5d/0xc60\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:28.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a908eca437789589dd4624da428614c1275064dc"
},
{
"url": "https://git.kernel.org/stable/c/00338255bb1f422642fb2798ebe92e93b6e4209b"
},
{
"url": "https://git.kernel.org/stable/c/e0ce3ed1048a47986d15aef1a98ebda25560d257"
},
{
"url": "https://git.kernel.org/stable/c/ba35a5d775799ce5ad60230be97336f2fefd518e"
},
{
"url": "https://git.kernel.org/stable/c/3d3abf3f7e8b1abb082070a343de82d7efc80523"
},
{
"url": "https://git.kernel.org/stable/c/e7177c7e32cb806f348387b7f4faafd4a5b32054"
},
{
"url": "https://git.kernel.org/stable/c/3a062a5c55adc5507600b9ae6d911e247e2f1d6e"
},
{
"url": "https://git.kernel.org/stable/c/7366830642505683bbe905a2ba5d18d6e4b512b8"
},
{
"url": "https://git.kernel.org/stable/c/e750f85391286a4c8100275516973324b621a269"
}
],
"title": "KVM: x86: Don\u0027t (re)check L1 intercepts when completing userspace I/O",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40026",
"datePublished": "2025-10-28T09:32:33.075Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:28.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21704 (GCVE-0-2025-21704)
Vulnerability from cvelistv5
Published
2025-02-22 09:43
Modified
2025-11-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdc-acm: Check control transfer buffer size before access
If the first fragment is shorter than struct usb_cdc_notification, we can't
calculate an expected_size. Log an error and discard the notification
instead of reading lengths from memory outside the received data, which can
lead to memory corruption when the expected_size decreases between
fragments, causing `expected_size - acm->nb_index` to wrap.
This issue has been present since the beginning of git history; however,
it only leads to memory corruption since commit ea2583529cd1
("cdc-acm: reassemble fragmented notifications").
A mitigating factor is that acm_ctrl_irq() can only execute after userspace
has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will
do that automatically depending on the USB device's vendor/product IDs and
its other interfaces.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:54.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/cdc-acm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90dd2f1b7342b9a671a5ea4160f408037b92b118",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "871619c2b78fdfe05afb4e8ba548678687beb812",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7828e9363ac4d23b02419bf2a45b9f1d9fb35646",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6abb510251e75f875797d8983a830e6731fa281c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f64079bef6a8a7823358c3f352ea29a617844636",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "383d516a0ebc8641372b521c8cb717f0f1834831",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e563b01208f4d1f609bcab13333b6c0e24ce6a01",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/cdc-acm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-acm: Check control transfer buffer size before access\n\nIf the first fragment is shorter than struct usb_cdc_notification, we can\u0027t\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm-\u003enb_index` to wrap.\n\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\n\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device\u0027s vendor/product IDs and\nits other interfaces."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:21.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2"
},
{
"url": "https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118"
},
{
"url": "https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812"
},
{
"url": "https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646"
},
{
"url": "https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c"
},
{
"url": "https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636"
},
{
"url": "https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831"
},
{
"url": "https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01"
},
{
"url": "https://project-zero.issues.chromium.org/issues/395107243"
}
],
"title": "usb: cdc-acm: Check control transfer buffer size before access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21704",
"datePublished": "2025-02-22T09:43:37.377Z",
"dateReserved": "2024-12-29T08:45:45.751Z",
"dateUpdated": "2025-11-03T19:35:54.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40281 (GCVE-0-2025-40281)
Vulnerability from cvelistv5
Published
2025-12-06 21:51
Modified
2025-12-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
syzbot reported a possible shift-out-of-bounds [1]
Blamed commit added rto_alpha_max and rto_beta_max set to 1000.
It is unclear if some sctp users are setting very large rto_alpha
and/or rto_beta.
In order to prevent user regression, perform the test at run time.
Also add READ_ONCE() annotations as sysctl values can change under us.
[1]
UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41
shift exponent 64 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:233 [inline]
__ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494
sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509
sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502
sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338
sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b Version: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b Version: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b Version: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b Version: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b Version: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b Version: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b Version: b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e0413e3315199b23ff4aec295e256034cd0a6e4",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "834e65be429c0fa4f9bb5945064bd57f18ed2187",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "d0d858652834dcf531342c82a0428170aa7c2675",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "ed71f801249d2350c77a73dca2c03918a15a62fe",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "1cfa4eac275cc4875755c1303d48a4ddfe507ca8",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
},
{
"lessThan": "1534ff77757e44bcc4b98d0196bc5c0052fce5fa",
"status": "affected",
"version": "b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto\n\nsyzbot reported a possible shift-out-of-bounds [1]\n\nBlamed commit added rto_alpha_max and rto_beta_max set to 1000.\n\nIt is unclear if some sctp users are setting very large rto_alpha\nand/or rto_beta.\n\nIn order to prevent user regression, perform the test at run time.\n\nAlso add READ_ONCE() annotations as sysctl values can change under us.\n\n[1]\n\nUBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41\nshift exponent 64 is too large for 32-bit type \u0027unsigned int\u0027\nCPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:233 [inline]\n __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494\n sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509\n sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502\n sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338\n sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]\n sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:05.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4"
},
{
"url": "https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187"
},
{
"url": "https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a"
},
{
"url": "https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675"
},
{
"url": "https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe"
},
{
"url": "https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8"
},
{
"url": "https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d"
},
{
"url": "https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa"
}
],
"title": "sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40281",
"datePublished": "2025-12-06T21:51:05.208Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:05.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56593 (GCVE-0-2024-56593)
Vulnerability from cvelistv5
Published
2024-12-27 14:51
Modified
2026-01-05 10:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()
This patch fixes a NULL pointer dereference bug in brcmfmac that occurs
when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs
are sent from the pkt queue.
The problem is the number of entries in the pre-allocated sgtable, it is
nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1.
Given the default [rt]xglom_size=32 it's actually 35 which is too small.
Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB
is added for each original SKB if tailroom isn't enough to hold tail_pad.
At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop"
in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return
NULL and this causes the oops.
The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle
the worst-case.
Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464
additional bytes of memory.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: af1fa210f4fc6e304b859b386a3c8a266b1110ab Version: af1fa210f4fc6e304b859b386a3c8a266b1110ab Version: af1fa210f4fc6e304b859b386a3c8a266b1110ab Version: af1fa210f4fc6e304b859b386a3c8a266b1110ab Version: af1fa210f4fc6e304b859b386a3c8a266b1110ab Version: af1fa210f4fc6e304b859b386a3c8a266b1110ab Version: af1fa210f4fc6e304b859b386a3c8a266b1110ab |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:01:39.392025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:14.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:50:17.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "342f87d263462c2670b77ea9a32074cab2ac6fa1",
"status": "affected",
"version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
"versionType": "git"
},
{
"lessThan": "7522d7d745d13fbeff3350fe6aa56c8dae263571",
"status": "affected",
"version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
"versionType": "git"
},
{
"lessThan": "dfb3f9d3f602602de208da7bdcc0f6d5ee74af68",
"status": "affected",
"version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
"versionType": "git"
},
{
"lessThan": "67a25ea28f8ec1da8894f2f115d01d3becf67dc7",
"status": "affected",
"version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
"versionType": "git"
},
{
"lessThan": "07c020c6d14d29e5a3ea4e4576b8ecf956a80834",
"status": "affected",
"version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
"versionType": "git"
},
{
"lessThan": "34941321b516bd7c6103bd01287d71a1804d19d3",
"status": "affected",
"version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
"versionType": "git"
},
{
"lessThan": "857282b819cbaa0675aaab1e7542e2c0579f52d7",
"status": "affected",
"version": "af1fa210f4fc6e304b859b386a3c8a266b1110ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()\n\nThis patch fixes a NULL pointer dereference bug in brcmfmac that occurs\nwhen a high \u0027sd_sgentry_align\u0027 value applies (e.g. 512) and a lot of queued SKBs\nare sent from the pkt queue.\n\nThe problem is the number of entries in the pre-allocated sgtable, it is\nnents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) \u003e\u003e 4 + 1.\nGiven the default [rt]xglom_size=32 it\u0027s actually 35 which is too small.\nWorst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB\nis added for each original SKB if tailroom isn\u0027t enough to hold tail_pad.\nAt least one sg entry is needed for each SKB. So, eventually the \"skb_queue_walk loop\"\nin brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return\nNULL and this causes the oops.\n\nThe patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle\nthe worst-case.\nBtw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464\nadditional bytes of memory."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:55:56.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/342f87d263462c2670b77ea9a32074cab2ac6fa1"
},
{
"url": "https://git.kernel.org/stable/c/7522d7d745d13fbeff3350fe6aa56c8dae263571"
},
{
"url": "https://git.kernel.org/stable/c/dfb3f9d3f602602de208da7bdcc0f6d5ee74af68"
},
{
"url": "https://git.kernel.org/stable/c/67a25ea28f8ec1da8894f2f115d01d3becf67dc7"
},
{
"url": "https://git.kernel.org/stable/c/07c020c6d14d29e5a3ea4e4576b8ecf956a80834"
},
{
"url": "https://git.kernel.org/stable/c/34941321b516bd7c6103bd01287d71a1804d19d3"
},
{
"url": "https://git.kernel.org/stable/c/857282b819cbaa0675aaab1e7542e2c0579f52d7"
}
],
"title": "wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56593",
"datePublished": "2024-12-27T14:51:00.466Z",
"dateReserved": "2024-12-27T14:03:06.003Z",
"dateUpdated": "2026-01-05T10:55:56.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68785 (GCVE-0-2025-68785)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix middle attribute validation in push_nsh() action
The push_nsh() action structure looks like this:
OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost
OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
inside nsh_key_put_from_nlattr(). But nothing checks if the attribute
in the middle is OK. We don't even check that this attribute is the
OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()
calls - first time directly while calling validate_push_nsh() and the
second time as part of the nla_for_each_nested() macro, which isn't
safe, potentially causing invalid memory access if the size of this
attribute is incorrect. The failure may not be noticed during
validation due to larger netlink buffer, but cause trouble later during
action execution where the buffer is allocated exactly to the size:
BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
Read of size 184 at addr ffff88816459a634 by task a.out/22624
CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x2c/0x390
kasan_report+0xdd/0x110
kasan_check_range+0x35/0x1b0
__asan_memcpy+0x20/0x60
nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
push_nsh+0x82/0x120 [openvswitch]
do_execute_actions+0x1405/0x2840 [openvswitch]
ovs_execute_actions+0xd5/0x3b0 [openvswitch]
ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
genl_family_rcv_msg_doit+0x1d6/0x2b0
genl_family_rcv_msg+0x336/0x580
genl_rcv_msg+0x9f/0x130
netlink_rcv_skb+0x11f/0x370
genl_rcv+0x24/0x40
netlink_unicast+0x73e/0xaa0
netlink_sendmsg+0x744/0xbf0
__sys_sendto+0x3d6/0x450
do_syscall_64+0x79/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Let's add some checks that the attribute is properly sized and it's
the only one attribute inside the action. Technically, there is no
real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
pushing an NSH header already, it just creates extra nesting, but
that's how uAPI works today. So, keeping as it is.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c135b8bbbcf92836068fd395bebeb7ae6c7bef",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "3bc2efff20a38b2c7ca18317649715df0dd62ced",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "1b569db9c2f28b599e40050524aae5f7332bc294",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "10ffc558246f2c75619aedda0921906095e46702",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "c999153bfb2d1d9b295b7010d920f2a7c6d7595f",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "5ace7ef87f059d68b5f50837ef3e8a1a4870c36e",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix middle attribute validation in push_nsh() action\n\nThe push_nsh() action structure looks like this:\n\n OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))\n\nThe outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK\u0027ed by the\nnla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost\nOVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK\u0027ed by the nla_for_each_nested()\ninside nsh_key_put_from_nlattr(). But nothing checks if the attribute\nin the middle is OK. We don\u0027t even check that this attribute is the\nOVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()\ncalls - first time directly while calling validate_push_nsh() and the\nsecond time as part of the nla_for_each_nested() macro, which isn\u0027t\nsafe, potentially causing invalid memory access if the size of this\nattribute is incorrect. The failure may not be noticed during\nvalidation due to larger netlink buffer, but cause trouble later during\naction execution where the buffer is allocated exactly to the size:\n\n BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n Read of size 184 at addr ffff88816459a634 by task a.out/22624\n\n CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x2c/0x390\n kasan_report+0xdd/0x110\n kasan_check_range+0x35/0x1b0\n __asan_memcpy+0x20/0x60\n nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n push_nsh+0x82/0x120 [openvswitch]\n do_execute_actions+0x1405/0x2840 [openvswitch]\n ovs_execute_actions+0xd5/0x3b0 [openvswitch]\n ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]\n genl_family_rcv_msg_doit+0x1d6/0x2b0\n genl_family_rcv_msg+0x336/0x580\n genl_rcv_msg+0x9f/0x130\n netlink_rcv_skb+0x11f/0x370\n genl_rcv+0x24/0x40\n netlink_unicast+0x73e/0xaa0\n netlink_sendmsg+0x744/0xbf0\n __sys_sendto+0x3d6/0x450\n do_syscall_64+0x79/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nLet\u0027s add some checks that the attribute is properly sized and it\u0027s\nthe only one attribute inside the action. Technically, there is no\nreal reason for OVS_KEY_ATTR_NSH to be there, as we know that we\u0027re\npushing an NSH header already, it just creates extra nesting, but\nthat\u0027s how uAPI works today. So, keeping as it is."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:31.795Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef"
},
{
"url": "https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced"
},
{
"url": "https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294"
},
{
"url": "https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702"
},
{
"url": "https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9"
},
{
"url": "https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f"
},
{
"url": "https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e"
}
],
"title": "net: openvswitch: fix middle attribute validation in push_nsh() action",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68785",
"datePublished": "2026-01-13T15:28:58.930Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:31.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23406 (GCVE-0-2026-23406)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix side-effect bug in match_char() macro usage
The match_char() macro evaluates its character parameter multiple
times when traversing differential encoding chains. When invoked
with *str++, the string pointer advances on each iteration of the
inner do-while loop, causing the DFA to check different characters
at each iteration and therefore skip input characters.
This results in out-of-bounds reads when the pointer advances past
the input buffer boundary.
[ 94.984676] ==================================================================
[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760
[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976
[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 94.986329] Call Trace:
[ 94.986341] <TASK>
[ 94.986347] dump_stack_lvl+0x5e/0x80
[ 94.986374] print_report+0xc8/0x270
[ 94.986384] ? aa_dfa_match+0x5ae/0x760
[ 94.986388] kasan_report+0x118/0x150
[ 94.986401] ? aa_dfa_match+0x5ae/0x760
[ 94.986405] aa_dfa_match+0x5ae/0x760
[ 94.986408] __aa_path_perm+0x131/0x400
[ 94.986418] aa_path_perm+0x219/0x2f0
[ 94.986424] apparmor_file_open+0x345/0x570
[ 94.986431] security_file_open+0x5c/0x140
[ 94.986442] do_dentry_open+0x2f6/0x1120
[ 94.986450] vfs_open+0x38/0x2b0
[ 94.986453] ? may_open+0x1e2/0x2b0
[ 94.986466] path_openat+0x231b/0x2b30
[ 94.986469] ? __x64_sys_openat+0xf8/0x130
[ 94.986477] do_file_open+0x19d/0x360
[ 94.986487] do_sys_openat2+0x98/0x100
[ 94.986491] __x64_sys_openat+0xf8/0x130
[ 94.986499] do_syscall_64+0x8e/0x660
[ 94.986515] ? count_memcg_events+0x15f/0x3c0
[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0
[ 94.986551] ? vma_start_read+0xf0/0x320
[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0
[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0
[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986588] ? irqentry_exit+0x3c/0x590
[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 94.986597] RIP: 0033:0x7fda4a79c3ea
Fix by extracting the character value before invoking match_char,
ensuring single evaluation per outer loop.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 074c1cd798cb0b481d7eaa749b64aa416563c053 Version: 074c1cd798cb0b481d7eaa749b64aa416563c053 Version: 074c1cd798cb0b481d7eaa749b64aa416563c053 Version: 074c1cd798cb0b481d7eaa749b64aa416563c053 Version: 074c1cd798cb0b481d7eaa749b64aa416563c053 Version: 074c1cd798cb0b481d7eaa749b64aa416563c053 Version: 074c1cd798cb0b481d7eaa749b64aa416563c053 Version: 074c1cd798cb0b481d7eaa749b64aa416563c053 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7dc56d8b37eda1396feeec3ab1c7ecee5eae31b",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "f16f2e5936c0f5f0d11fdf10d2be3e47e7108e42",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "1fc94f16098213d01e56c97feed9b3ecf0147a37",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "5a184f7cbdeaad17e16dedf3c17d0cd622edfed8",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "b73c1dff8a9d7eeaebabf8097a5b2de192f40913",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "0510d1ba0976f97f521feb2b75b0572ea5df3ceb",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "383b7270faf42564f133134c2fc3c24bbae52615",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "8756b68edae37ff546c02091989a4ceab3f20abd",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix side-effect bug in match_char() macro usage\n\nThe match_char() macro evaluates its character parameter multiple\ntimes when traversing differential encoding chains. When invoked\nwith *str++, the string pointer advances on each iteration of the\ninner do-while loop, causing the DFA to check different characters\nat each iteration and therefore skip input characters.\nThis results in out-of-bounds reads when the pointer advances past\nthe input buffer boundary.\n\n[ 94.984676] ==================================================================\n[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760\n[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976\n\n[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\n[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 94.986329] Call Trace:\n[ 94.986341] \u003cTASK\u003e\n[ 94.986347] dump_stack_lvl+0x5e/0x80\n[ 94.986374] print_report+0xc8/0x270\n[ 94.986384] ? aa_dfa_match+0x5ae/0x760\n[ 94.986388] kasan_report+0x118/0x150\n[ 94.986401] ? aa_dfa_match+0x5ae/0x760\n[ 94.986405] aa_dfa_match+0x5ae/0x760\n[ 94.986408] __aa_path_perm+0x131/0x400\n[ 94.986418] aa_path_perm+0x219/0x2f0\n[ 94.986424] apparmor_file_open+0x345/0x570\n[ 94.986431] security_file_open+0x5c/0x140\n[ 94.986442] do_dentry_open+0x2f6/0x1120\n[ 94.986450] vfs_open+0x38/0x2b0\n[ 94.986453] ? may_open+0x1e2/0x2b0\n[ 94.986466] path_openat+0x231b/0x2b30\n[ 94.986469] ? __x64_sys_openat+0xf8/0x130\n[ 94.986477] do_file_open+0x19d/0x360\n[ 94.986487] do_sys_openat2+0x98/0x100\n[ 94.986491] __x64_sys_openat+0xf8/0x130\n[ 94.986499] do_syscall_64+0x8e/0x660\n[ 94.986515] ? count_memcg_events+0x15f/0x3c0\n[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0\n[ 94.986551] ? vma_start_read+0xf0/0x320\n[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0\n[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0\n[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986588] ? irqentry_exit+0x3c/0x590\n[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 94.986597] RIP: 0033:0x7fda4a79c3ea\n\nFix by extracting the character value before invoking match_char,\nensuring single evaluation per outer loop."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:40.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7dc56d8b37eda1396feeec3ab1c7ecee5eae31b"
},
{
"url": "https://git.kernel.org/stable/c/f16f2e5936c0f5f0d11fdf10d2be3e47e7108e42"
},
{
"url": "https://git.kernel.org/stable/c/1fc94f16098213d01e56c97feed9b3ecf0147a37"
},
{
"url": "https://git.kernel.org/stable/c/5a184f7cbdeaad17e16dedf3c17d0cd622edfed8"
},
{
"url": "https://git.kernel.org/stable/c/b73c1dff8a9d7eeaebabf8097a5b2de192f40913"
},
{
"url": "https://git.kernel.org/stable/c/0510d1ba0976f97f521feb2b75b0572ea5df3ceb"
},
{
"url": "https://git.kernel.org/stable/c/383b7270faf42564f133134c2fc3c24bbae52615"
},
{
"url": "https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd"
}
],
"title": "apparmor: fix side-effect bug in match_char() macro usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23406",
"datePublished": "2026-04-01T08:36:36.460Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-18T08:58:40.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53520 (GCVE-0-2023-53520)
Vulnerability from cvelistv5
Published
2025-10-01 11:46
Modified
2026-02-06 16:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix hci_suspend_sync crash
If hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier
may still be accessing it, it can cause the program to crash.
Here's the call trace:
<4>[102152.653246] Call Trace:
<4>[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]
<4>[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]
<4>[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]
<4>[102152.653268] notifier_call_chain+0x43/0x6b
<4>[102152.653271] __blocking_notifier_call_chain+0x48/0x69
<4>[102152.653273] __pm_notifier_call_chain+0x22/0x39
<4>[102152.653276] pm_suspend+0x287/0x57c
<4>[102152.653278] state_store+0xae/0xe5
<4>[102152.653281] kernfs_fop_write+0x109/0x173
<4>[102152.653284] __vfs_write+0x16f/0x1a2
<4>[102152.653287] ? selinux_file_permission+0xca/0x16f
<4>[102152.653289] ? security_file_permission+0x36/0x109
<4>[102152.653291] vfs_write+0x114/0x21d
<4>[102152.653293] __x64_sys_write+0x7b/0xdb
<4>[102152.653296] do_syscall_64+0x59/0x194
<4>[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
This patch holds the reference count of the hci_dev object while
processing it in hci_suspend_notifier to avoid potential crash
caused by the race condition.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1fa25a91091bbed691ba2996a6cee809e3309a2",
"status": "affected",
"version": "9952d90ea2885d7cbf80cd233f694f09a9c0eaec",
"versionType": "git"
},
{
"lessThan": "06e2b5ad72b60f90bfe565c201346532e271f484",
"status": "affected",
"version": "9952d90ea2885d7cbf80cd233f694f09a9c0eaec",
"versionType": "git"
},
{
"lessThan": "f9c8ce5d665653e3cf71a76349d41d7a7f7947e6",
"status": "affected",
"version": "9952d90ea2885d7cbf80cd233f694f09a9c0eaec",
"versionType": "git"
},
{
"lessThan": "573ebae162111063eedc6c838a659ba628f66a0f",
"status": "affected",
"version": "9952d90ea2885d7cbf80cd233f694f09a9c0eaec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix hci_suspend_sync crash\n\nIf hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier\nmay still be accessing it, it can cause the program to crash.\nHere\u0027s the call trace:\n \u003c4\u003e[102152.653246] Call Trace:\n \u003c4\u003e[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]\n \u003c4\u003e[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]\n \u003c4\u003e[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]\n \u003c4\u003e[102152.653268] notifier_call_chain+0x43/0x6b\n \u003c4\u003e[102152.653271] __blocking_notifier_call_chain+0x48/0x69\n \u003c4\u003e[102152.653273] __pm_notifier_call_chain+0x22/0x39\n \u003c4\u003e[102152.653276] pm_suspend+0x287/0x57c\n \u003c4\u003e[102152.653278] state_store+0xae/0xe5\n \u003c4\u003e[102152.653281] kernfs_fop_write+0x109/0x173\n \u003c4\u003e[102152.653284] __vfs_write+0x16f/0x1a2\n \u003c4\u003e[102152.653287] ? selinux_file_permission+0xca/0x16f\n \u003c4\u003e[102152.653289] ? security_file_permission+0x36/0x109\n \u003c4\u003e[102152.653291] vfs_write+0x114/0x21d\n \u003c4\u003e[102152.653293] __x64_sys_write+0x7b/0xdb\n \u003c4\u003e[102152.653296] do_syscall_64+0x59/0x194\n \u003c4\u003e[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1\n\nThis patch holds the reference count of the hci_dev object while\nprocessing it in hci_suspend_notifier to avoid potential crash\ncaused by the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:30:43.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1fa25a91091bbed691ba2996a6cee809e3309a2"
},
{
"url": "https://git.kernel.org/stable/c/06e2b5ad72b60f90bfe565c201346532e271f484"
},
{
"url": "https://git.kernel.org/stable/c/f9c8ce5d665653e3cf71a76349d41d7a7f7947e6"
},
{
"url": "https://git.kernel.org/stable/c/573ebae162111063eedc6c838a659ba628f66a0f"
}
],
"title": "Bluetooth: Fix hci_suspend_sync crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53520",
"datePublished": "2025-10-01T11:46:07.355Z",
"dateReserved": "2025-10-01T11:39:39.407Z",
"dateUpdated": "2026-02-06T16:30:43.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40252 (GCVE-0-2025-40252)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
over 'cqe->len_list[]' using only a zero-length terminator as
the stopping condition. If the terminator was missing or
malformed, the loop could run past the end of the fixed-size array.
Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
a potential out-of-bounds access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 55482edc25f0606851de42e73618f813f310d009 Version: 55482edc25f0606851de42e73618f813f310d009 Version: 55482edc25f0606851de42e73618f813f310d009 Version: 55482edc25f0606851de42e73618f813f310d009 Version: 55482edc25f0606851de42e73618f813f310d009 Version: 55482edc25f0606851de42e73618f813f310d009 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qede/qede_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecbb12caf399d7cf364b7553ed5aebeaa2f255bc",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "a778912b4a53587ea07d85526d152f85d109cbfe",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "f0923011c1261b33a2ac1de349256d39cb750dd0",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "917a9d02182ac8b4f25eb47dc02f3ec679608c24",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "e441db07f208184e0466abf44b389a81d70c340e",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "896f1a2493b59beb2b5ccdf990503dbb16cb2256",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qede/qede_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()\n\nThe loops in \u0027qede_tpa_cont()\u0027 and \u0027qede_tpa_end()\u0027, iterate\nover \u0027cqe-\u003elen_list[]\u0027 using only a zero-length terminator as\nthe stopping condition. If the terminator was missing or\nmalformed, the loop could run past the end of the fixed-size array.\n\nAdd an explicit bound check using ARRAY_SIZE() in both loops to prevent\na potential out-of-bounds access.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:48.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecbb12caf399d7cf364b7553ed5aebeaa2f255bc"
},
{
"url": "https://git.kernel.org/stable/c/a778912b4a53587ea07d85526d152f85d109cbfe"
},
{
"url": "https://git.kernel.org/stable/c/f0923011c1261b33a2ac1de349256d39cb750dd0"
},
{
"url": "https://git.kernel.org/stable/c/917a9d02182ac8b4f25eb47dc02f3ec679608c24"
},
{
"url": "https://git.kernel.org/stable/c/e441db07f208184e0466abf44b389a81d70c340e"
},
{
"url": "https://git.kernel.org/stable/c/896f1a2493b59beb2b5ccdf990503dbb16cb2256"
}
],
"title": "net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40252",
"datePublished": "2025-12-04T16:08:14.393Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:48.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40257 (GCVE-0-2025-40257)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix a race in mptcp_pm_del_add_timer()
mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
while another might have free entry already, as reported by syzbot.
Add RCU protection to fix this issue.
Also change confusing add_timer variable with stop_timer boolean.
syzbot report:
BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: events mptcp_worker
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631
mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362
mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174
tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361
tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441
tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931
tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374
ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6079 [inline]
__netif_receive_skb+0x143/0x380 net/core/dev.c:6192
process_backlog+0x31e/0x900 net/core/dev.c:6544
__napi_poll+0xb6/0x540 net/core/dev.c:7594
napi_poll net/core/dev.c:7657 [inline]
net_rx_action+0x5f7/0xda0 net/core/dev.c:7784
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
__local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302
mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]
mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1
mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002
mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 44:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748
kmalloc_noprof include/linux/slab.h:957 [inline]
mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385
mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355
mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]
__mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529
mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008
mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 6630:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object m
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 Version: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "385ddc0f008f24d1e7d03be998b3a98a37bd29ff",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "c602cc344b4b8d41515fec3ffa98457ac963ee12",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "bbbd75346c8e6490b19c2ba90f38ea66ccf352b2",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "426358d9be7ce3518966422f87b96f1bad27295f",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix a race in mptcp_pm_del_add_timer()\n\nmptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, \u0026entry-\u003eadd_timer)\nwhile another might have free entry already, as reported by syzbot.\n\nAdd RCU protection to fix this issue.\n\nAlso change confusing add_timer variable with stop_timer boolean.\n\nsyzbot report:\n\nBUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\nRead of size 4 at addr ffff8880311e4150 by task kworker/1:1/44\n\nCPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nWorkqueue: events mptcp_worker\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\n sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631\n mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362\n mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174\n tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361\n tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441\n tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931\n tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374\n ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6079 [inline]\n __netif_receive_skb+0x143/0x380 net/core/dev.c:6192\n process_backlog+0x31e/0x900 net/core/dev.c:6544\n __napi_poll+0xb6/0x540 net/core/dev.c:7594\n napi_poll net/core/dev.c:7657 [inline]\n net_rx_action+0x5f7/0xda0 net/core/dev.c:7784\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n __do_softirq kernel/softirq.c:656 [inline]\n __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302\n mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]\n mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1\n mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\n process_one_work kernel/workqueue.c:3263 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 44:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417\n kasan_kmalloc include/linux/kasan.h:262 [inline]\n __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748\n kmalloc_noprof include/linux/slab.h:957 [inline]\n mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385\n mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355\n mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]\n __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529\n mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\n process_one_work kernel/workqueue.c:3263 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n\nFreed by task 6630:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object m\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:54.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17"
},
{
"url": "https://git.kernel.org/stable/c/e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b"
},
{
"url": "https://git.kernel.org/stable/c/385ddc0f008f24d1e7d03be998b3a98a37bd29ff"
},
{
"url": "https://git.kernel.org/stable/c/c602cc344b4b8d41515fec3ffa98457ac963ee12"
},
{
"url": "https://git.kernel.org/stable/c/6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7"
},
{
"url": "https://git.kernel.org/stable/c/bbbd75346c8e6490b19c2ba90f38ea66ccf352b2"
},
{
"url": "https://git.kernel.org/stable/c/426358d9be7ce3518966422f87b96f1bad27295f"
}
],
"title": "mptcp: fix a race in mptcp_pm_del_add_timer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40257",
"datePublished": "2025-12-04T16:08:18.433Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:38:54.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71186 (GCVE-0-2025-71186)
Vulnerability from cvelistv5
Published
2026-01-31 11:41
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: stm32: dmamux: fix device leak on route allocation
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: df7e762db5f6c8dbd9e480f1c9ef9851de346657 Version: df7e762db5f6c8dbd9e480f1c9ef9851de346657 Version: df7e762db5f6c8dbd9e480f1c9ef9851de346657 Version: df7e762db5f6c8dbd9e480f1c9ef9851de346657 Version: df7e762db5f6c8dbd9e480f1c9ef9851de346657 Version: df7e762db5f6c8dbd9e480f1c9ef9851de346657 Version: df7e762db5f6c8dbd9e480f1c9ef9851de346657 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/stm32/stm32-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b42020e6790a5e19b36c187ed5b488a5716f97f",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "6393da54dcb3488c080a183c4182ddec71ba8d7f",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "1dda2a32303df0091896b01a9d09070d61fa344c",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "1a179ac01ff3993ab97e33cc77c316ed7415cda1",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "2fb10259d4efb4367787b5ae9c94192e8a91c648",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "3ef52d31cce8ba816739085a61efe07b63c6cf27",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
},
{
"lessThan": "dd6e4943889fb354efa3f700e42739da9bddb6ef",
"status": "affected",
"version": "df7e762db5f6c8dbd9e480f1c9ef9851de346657",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/stm32/stm32-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: stm32: dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:10.714Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b42020e6790a5e19b36c187ed5b488a5716f97f"
},
{
"url": "https://git.kernel.org/stable/c/6393da54dcb3488c080a183c4182ddec71ba8d7f"
},
{
"url": "https://git.kernel.org/stable/c/1dda2a32303df0091896b01a9d09070d61fa344c"
},
{
"url": "https://git.kernel.org/stable/c/1a179ac01ff3993ab97e33cc77c316ed7415cda1"
},
{
"url": "https://git.kernel.org/stable/c/2fb10259d4efb4367787b5ae9c94192e8a91c648"
},
{
"url": "https://git.kernel.org/stable/c/3ef52d31cce8ba816739085a61efe07b63c6cf27"
},
{
"url": "https://git.kernel.org/stable/c/dd6e4943889fb354efa3f700e42739da9bddb6ef"
}
],
"title": "dmaengine: stm32: dmamux: fix device leak on route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71186",
"datePublished": "2026-01-31T11:41:57.921Z",
"dateReserved": "2026-01-31T11:36:51.187Z",
"dateUpdated": "2026-02-09T08:36:10.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40167 (GCVE-0-2025-40167)
Vulnerability from cvelistv5
Published
2025-11-12 10:26
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: detect invalid INLINE_DATA + EXTENTS flag combination
syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
file on a corrupted ext4 filesystem mounted without a journal.
The issue is that the filesystem has an inode with both the INLINE_DATA
and EXTENTS flags set:
EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
Investigation revealed that the inode has both flags set:
DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
This is an invalid combination since an inode should have either:
- INLINE_DATA: data stored directly in the inode
- EXTENTS: data stored in extent-mapped blocks
Having both flags causes ext4_has_inline_data() to return true, skipping
extent tree validation in __ext4_iget(). The unvalidated out-of-order
extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
underflow when calculating hole sizes.
Fix this by detecting this invalid flag combination early in ext4_iget()
and rejecting the corrupted inode.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f19d5870cbf72d4cb2a8e1f749dff97af99b071e Version: f19d5870cbf72d4cb2a8e1f749dff97af99b071e Version: f19d5870cbf72d4cb2a8e1f749dff97af99b071e Version: f19d5870cbf72d4cb2a8e1f749dff97af99b071e Version: f19d5870cbf72d4cb2a8e1f749dff97af99b071e Version: f19d5870cbf72d4cb2a8e1f749dff97af99b071e Version: f19d5870cbf72d4cb2a8e1f749dff97af99b071e Version: f19d5870cbf72d4cb2a8e1f749dff97af99b071e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4954d297c91d292630ab43ba4d195dc371ce65d3",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "f061f7c331fc16250fc82aa68964f35821687217",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "2e9e10657b04152ed0d6ecae8d0c02a3405e28f5",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1437c95ab2a28b138d4521653583729f61ccb48b",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "cb6039b68efa547b676a8a10fc4618d9d1865c23",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "de985264eef64be8a90595908f2e6a87946dad34",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1f5ccd22ff482639133f2a0fe08f6d19d0e68717",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1d3ad183943b38eec2acf72a0ae98e635dc8456b",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: detect invalid INLINE_DATA + EXTENTS flag combination\n\nsyzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity\nfile on a corrupted ext4 filesystem mounted without a journal.\n\nThe issue is that the filesystem has an inode with both the INLINE_DATA\nand EXTENTS flags set:\n\n EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:\n comm syz.0.17: corrupted extent tree: lblk 0 \u003c prev 66\n\nInvestigation revealed that the inode has both flags set:\n DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1\n\nThis is an invalid combination since an inode should have either:\n- INLINE_DATA: data stored directly in the inode\n- EXTENTS: data stored in extent-mapped blocks\n\nHaving both flags causes ext4_has_inline_data() to return true, skipping\nextent tree validation in __ext4_iget(). The unvalidated out-of-order\nextents then trigger a BUG_ON in ext4_es_cache_extent() due to integer\nunderflow when calculating hole sizes.\n\nFix this by detecting this invalid flag combination early in ext4_iget()\nand rejecting the corrupted inode."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:06.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4d195dc371ce65d3"
},
{
"url": "https://git.kernel.org/stable/c/f061f7c331fc16250fc82aa68964f35821687217"
},
{
"url": "https://git.kernel.org/stable/c/2e9e10657b04152ed0d6ecae8d0c02a3405e28f5"
},
{
"url": "https://git.kernel.org/stable/c/1437c95ab2a28b138d4521653583729f61ccb48b"
},
{
"url": "https://git.kernel.org/stable/c/cb6039b68efa547b676a8a10fc4618d9d1865c23"
},
{
"url": "https://git.kernel.org/stable/c/de985264eef64be8a90595908f2e6a87946dad34"
},
{
"url": "https://git.kernel.org/stable/c/1f5ccd22ff482639133f2a0fe08f6d19d0e68717"
},
{
"url": "https://git.kernel.org/stable/c/1d3ad183943b38eec2acf72a0ae98e635dc8456b"
}
],
"title": "ext4: detect invalid INLINE_DATA + EXTENTS flag combination",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40167",
"datePublished": "2025-11-12T10:26:24.498Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-01-02T15:33:06.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68339 (GCVE-0-2025-68339)
Vulnerability from cvelistv5
Published
2025-12-23 13:58
Modified
2025-12-23 13:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm/fore200e: Fix possible data race in fore200e_open()
Protect access to fore200e->available_cell_rate with rate_mtx lock in the
error handling path of fore200e_open() to prevent a data race.
The field fore200e->available_cell_rate is a shared resource used to track
available bandwidth. It is concurrently accessed by fore200e_open(),
fore200e_close(), and fore200e_change_qos().
In fore200e_open(), the lock rate_mtx is correctly held when subtracting
vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.
However, if the subsequent call to fore200e_activate_vcin() fails, the
function restores the reserved bandwidth by adding back to
available_cell_rate without holding the lock.
This introduces a race condition because available_cell_rate is a global
device resource shared across all VCCs. If the error path in
fore200e_open() executes concurrently with operations like
fore200e_close() or fore200e_change_qos() on other VCCs, a
read-modify-write race occurs.
Specifically, the error path reads the rate without the lock. If another
CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in
fore200e_close()) between this read and the subsequent write, the error
path will overwrite the concurrent update with a stale value. This results
in incorrect bandwidth accounting.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/atm/fore200e.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd1415efbab507b9b995918105eef953013449dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9917ba597cf95f307778e495f71ff25a5064d167",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "667ac868823224374f819500adc5baa2889c7bc5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6610361458e7eb6502dd3182f586f91fcc218039",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82fca3d8a4a34667f01ec2351a607135249c9cff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/atm/fore200e.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm/fore200e: Fix possible data race in fore200e_open()\n\nProtect access to fore200e-\u003eavailable_cell_rate with rate_mtx lock in the\nerror handling path of fore200e_open() to prevent a data race.\n\nThe field fore200e-\u003eavailable_cell_rate is a shared resource used to track\navailable bandwidth. It is concurrently accessed by fore200e_open(),\nfore200e_close(), and fore200e_change_qos().\n\nIn fore200e_open(), the lock rate_mtx is correctly held when subtracting\nvcc-\u003eqos.txtp.max_pcr from available_cell_rate to reserve bandwidth.\nHowever, if the subsequent call to fore200e_activate_vcin() fails, the\nfunction restores the reserved bandwidth by adding back to\navailable_cell_rate without holding the lock.\n\nThis introduces a race condition because available_cell_rate is a global\ndevice resource shared across all VCCs. If the error path in\nfore200e_open() executes concurrently with operations like\nfore200e_close() or fore200e_change_qos() on other VCCs, a\nread-modify-write race occurs.\n\nSpecifically, the error path reads the rate without the lock. If another\nCPU acquires the lock and modifies the rate (e.g., releasing bandwidth in\nfore200e_close()) between this read and the subsequent write, the error\npath will overwrite the concurrent update with a stale value. This results\nin incorrect bandwidth accounting."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:24.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d"
},
{
"url": "https://git.kernel.org/stable/c/bd1415efbab507b9b995918105eef953013449dd"
},
{
"url": "https://git.kernel.org/stable/c/ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1"
},
{
"url": "https://git.kernel.org/stable/c/9917ba597cf95f307778e495f71ff25a5064d167"
},
{
"url": "https://git.kernel.org/stable/c/667ac868823224374f819500adc5baa2889c7bc5"
},
{
"url": "https://git.kernel.org/stable/c/6610361458e7eb6502dd3182f586f91fcc218039"
},
{
"url": "https://git.kernel.org/stable/c/82fca3d8a4a34667f01ec2351a607135249c9cff"
}
],
"title": "atm/fore200e: Fix possible data race in fore200e_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68339",
"datePublished": "2025-12-23T13:58:24.955Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-23T13:58:24.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23084 (GCVE-0-2026-23084)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is
set to false, the driver may request the PMAC_ID from the firmware of the
network card, and this function will store that PMAC_ID at the provided
address pmac_id. This is the contract of this function.
However, there is a location within the driver where both
pmac_id_valid == false and pmac_id == NULL are being passed. This could
result in dereferencing a NULL pointer.
To resolve this issue, it is necessary to pass the address of a stub
variable to the function.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 95046b927a54f461766f83a212c6a93bc5fd2e67 Version: 95046b927a54f461766f83a212c6a93bc5fd2e67 Version: 95046b927a54f461766f83a212c6a93bc5fd2e67 Version: 95046b927a54f461766f83a212c6a93bc5fd2e67 Version: 95046b927a54f461766f83a212c6a93bc5fd2e67 Version: 95046b927a54f461766f83a212c6a93bc5fd2e67 Version: 95046b927a54f461766f83a212c6a93bc5fd2e67 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cba480c9b9a3861a515262225cb53a1f5978344",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "92c6dc181a18e6e0ddb872ed35cb48a9274829e4",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "6c3e00888dbec887125a08b51a705b9b163fcdd1",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "e206fb415db36bad52bb90c08d46ce71ffbe8a80",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "47ffb4dcffe336f4a7bd0f3284be7aadc6484698",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "31410a01a86bcb98c798d01061abf1f789c4f75a",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "8215794403d264739cc676668087512950b2ff31",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list\n\nWhen the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is\nset to false, the driver may request the PMAC_ID from the firmware of the\nnetwork card, and this function will store that PMAC_ID at the provided\naddress pmac_id. This is the contract of this function.\n\nHowever, there is a location within the driver where both\npmac_id_valid == false and pmac_id == NULL are being passed. This could\nresult in dereferencing a NULL pointer.\n\nTo resolve this issue, it is necessary to pass the address of a stub\nvariable to the function."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:24.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cba480c9b9a3861a515262225cb53a1f5978344"
},
{
"url": "https://git.kernel.org/stable/c/92c6dc181a18e6e0ddb872ed35cb48a9274829e4"
},
{
"url": "https://git.kernel.org/stable/c/6c3e00888dbec887125a08b51a705b9b163fcdd1"
},
{
"url": "https://git.kernel.org/stable/c/e206fb415db36bad52bb90c08d46ce71ffbe8a80"
},
{
"url": "https://git.kernel.org/stable/c/47ffb4dcffe336f4a7bd0f3284be7aadc6484698"
},
{
"url": "https://git.kernel.org/stable/c/31410a01a86bcb98c798d01061abf1f789c4f75a"
},
{
"url": "https://git.kernel.org/stable/c/8215794403d264739cc676668087512950b2ff31"
}
],
"title": "be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23084",
"datePublished": "2026-02-04T16:08:08.456Z",
"dateReserved": "2026-01-13T15:37:45.960Z",
"dateUpdated": "2026-02-09T08:38:24.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40043 (GCVE-0-2025-40043)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: nci: Add parameter validation for packet data
Syzbot reported an uninitialized value bug in nci_init_req, which was
introduced by commit 5aca7966d2a7 ("Merge tag
'perf-tools-fixes-for-v6.17-2025-09-16' of
git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").
This bug arises due to very limited and poor input validation
that was done at nic_valid_size(). This validation only
validates the skb->len (directly reflects size provided at the
userspace interface) with the length provided in the buffer
itself (interpreted as NCI_HEADER). This leads to the processing
of memory content at the address assuming the correct layout
per what opcode requires there. This leads to the accesses to
buffer of `skb_buff->data` which is not assigned anything yet.
Following the same silent drop of packets of invalid sizes at
`nic_valid_size()`, add validation of the data in the respective
handlers and return error values in case of failure. Release
the skb if error values are returned from handlers in
`nci_nft_packet` and effectively do a silent drop
Possible TODO: because we silently drop the packets, the
call to `nci_request` will be waiting for completion of request
and will face timeouts. These timeouts can get excessively logged
in the dmesg. A proper handling of them may require to export
`nci_request_cancel` (or propagate error handling from the
nft packets handlers).
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/ntf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fcc7315a10a84264e55bb65ede10f0af20a983f",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "bfdda0123dde406dbff62e7e9136037e97998a15",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "0ba68bea1e356f466ad29449938bea12f5f3711f",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "74837bca0748763a77f77db47a0bdbe63b347628",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "c395d1e548cc68e84584ffa2e3ca9796a78bf7b9",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "9c328f54741bd5465ca1dc717c84c04242fac2e1",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/ntf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: nci: Add parameter validation for packet data\n\nSyzbot reported an uninitialized value bug in nci_init_req, which was\nintroduced by commit 5aca7966d2a7 (\"Merge tag\n\u0027perf-tools-fixes-for-v6.17-2025-09-16\u0027 of\ngit://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\").\n\nThis bug arises due to very limited and poor input validation\nthat was done at nic_valid_size(). This validation only\nvalidates the skb-\u003elen (directly reflects size provided at the\nuserspace interface) with the length provided in the buffer\nitself (interpreted as NCI_HEADER). This leads to the processing\nof memory content at the address assuming the correct layout\nper what opcode requires there. This leads to the accesses to\nbuffer of `skb_buff-\u003edata` which is not assigned anything yet.\n\nFollowing the same silent drop of packets of invalid sizes at\n`nic_valid_size()`, add validation of the data in the respective\nhandlers and return error values in case of failure. Release\nthe skb if error values are returned from handlers in\n`nci_nft_packet` and effectively do a silent drop\n\nPossible TODO: because we silently drop the packets, the\ncall to `nci_request` will be waiting for completion of request\nand will face timeouts. These timeouts can get excessively logged\nin the dmesg. A proper handling of them may require to export\n`nci_request_cancel` (or propagate error handling from the\nnft packets handlers)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:47.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fcc7315a10a84264e55bb65ede10f0af20a983f"
},
{
"url": "https://git.kernel.org/stable/c/bfdda0123dde406dbff62e7e9136037e97998a15"
},
{
"url": "https://git.kernel.org/stable/c/0ba68bea1e356f466ad29449938bea12f5f3711f"
},
{
"url": "https://git.kernel.org/stable/c/74837bca0748763a77f77db47a0bdbe63b347628"
},
{
"url": "https://git.kernel.org/stable/c/c395d1e548cc68e84584ffa2e3ca9796a78bf7b9"
},
{
"url": "https://git.kernel.org/stable/c/9c328f54741bd5465ca1dc717c84c04242fac2e1"
}
],
"title": "net: nfc: nci: Add parameter validation for packet data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40043",
"datePublished": "2025-10-28T11:48:22.230Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-01T06:16:47.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23011 (GCVE-0-2026-23011)
Vulnerability from cvelistv5
Published
2026-01-25 14:36
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: ip_gre: make ipgre_header() robust
Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
Over the years, syzbot found many ways to crash the kernel
in ipgre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ipgre device.
[1]
skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
kernel BUG at net/core/skbuff.c:213 !
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
Call Trace:
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c54419321455631079c7d6e60bc732dd0c5914c5 Version: c54419321455631079c7d6e60bc732dd0c5914c5 Version: c54419321455631079c7d6e60bc732dd0c5914c5 Version: c54419321455631079c7d6e60bc732dd0c5914c5 Version: c54419321455631079c7d6e60bc732dd0c5914c5 Version: c54419321455631079c7d6e60bc732dd0c5914c5 Version: c54419321455631079c7d6e60bc732dd0c5914c5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eeb9a521de40c6fadccc12fa5205e5a1b364d5a8",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "8d5b6b2d79c1c22a5b0db1187a6439dff375a022",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "2ecf0aa7cc262472a9599cc51ba02ada0897a17a",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "06fe0801396a36cab865b34f666de1d65bc5ce8e",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "aa57bfea4674e6da8104fa3a37760a6f5f255dad",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "554201ed0a8f4d32e719f42caeaeb2735a9ed6ca",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "e67c577d89894811ce4dcd1a9ed29d8b63476667",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_gre: make ipgre_header() robust\n\nAnalog to commit db5b4e39c4e6 (\"ip6_gre: make ip6gre_header() robust\")\n\nOver the years, syzbot found many ways to crash the kernel\nin ipgre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ipgre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0\n kernel BUG at net/core/skbuff.c:213 !\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: mld mld_ifc_work\n RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213\nCall Trace:\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:04.481Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eeb9a521de40c6fadccc12fa5205e5a1b364d5a8"
},
{
"url": "https://git.kernel.org/stable/c/8d5b6b2d79c1c22a5b0db1187a6439dff375a022"
},
{
"url": "https://git.kernel.org/stable/c/2ecf0aa7cc262472a9599cc51ba02ada0897a17a"
},
{
"url": "https://git.kernel.org/stable/c/06fe0801396a36cab865b34f666de1d65bc5ce8e"
},
{
"url": "https://git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad"
},
{
"url": "https://git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca"
},
{
"url": "https://git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667"
}
],
"title": "ipv4: ip_gre: make ipgre_header() robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23011",
"datePublished": "2026-01-25T14:36:24.455Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:37:04.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40048 (GCVE-0-2025-40048)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uio_hv_generic: Let userspace take care of interrupt mask
Remove the logic to set interrupt mask by default in uio_hv_generic
driver as the interrupt mask value is supposed to be controlled
completely by the user space. If the mask bit gets changed
by the driver, concurrently with user mode operating on the ring,
the mask bit may be set when it is supposed to be clear, and the
user-mode driver will miss an interrupt which will cause a hang.
For eg- when the driver sets inbound ring buffer interrupt mask to 1,
the host does not interrupt the guest on the UIO VMBus channel.
However, setting the mask does not prevent the host from putting a
message in the inbound ring buffer. So let’s assume that happens,
the host puts a message into the ring buffer but does not interrupt.
Subsequently, the user space code in the guest sets the inbound ring
buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”.
User space code then calls pread() to wait for an interrupt.
Then one of two things happens:
* The host never sends another message. So the pread() waits forever.
* The host does send another message. But because there’s already a
message in the ring buffer, it doesn’t generate an interrupt.
This is the correct behavior, because the host should only send an
interrupt when the inbound ring buffer transitions from empty to
not-empty. Adding an additional message to a ring buffer that is not
empty is not supposed to generate an interrupt on the guest.
Since the guest is waiting in pread() and not removing messages from
the ring buffer, the pread() waits forever.
This could be easily reproduced in hv_fcopy_uio_daemon if we delay
setting interrupt mask to 0.
Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,
there’s a race condition. Once user space empties the inbound ring
buffer, but before user space sets interrupt_mask to 0, the host could
put another message in the ring buffer but it wouldn’t interrupt.
Then the next pread() would hang.
Fix these by removing all instances where interrupt_mask is changed,
while keeping the one in set_event() unchanged to enable userspace
control the interrupt mask by writing 0/1 to /dev/uioX.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 95096f2fbd10186d3e78a328b327afc71428f65f Version: 95096f2fbd10186d3e78a328b327afc71428f65f Version: 95096f2fbd10186d3e78a328b327afc71428f65f Version: 95096f2fbd10186d3e78a328b327afc71428f65f Version: 95096f2fbd10186d3e78a328b327afc71428f65f Version: 95096f2fbd10186d3e78a328b327afc71428f65f Version: 95096f2fbd10186d3e78a328b327afc71428f65f Version: 95096f2fbd10186d3e78a328b327afc71428f65f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_hv_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "540aac117eaea5723cef5e4cbf3035c4ac654d92",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "65d40acd911c7011745cbbd2aaac34eb5266d11e",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "a44f61f878f32071d6378e8dd7c2d47f9490c8f7",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "01ce972e6f9974a7c76943bcb7e93746917db83a",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "2af39ab5e6dc46b835a52e80a22d0cad430985e3",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "37bd91f22794dc05436130d6983302cb90ecfe7e",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "e29587c07537929684faa365027f4b0d87521e1b",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "b15b7d2a1b09ef5428a8db260251897405a19496",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_hv_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Let userspace take care of interrupt mask\n\nRemove the logic to set interrupt mask by default in uio_hv_generic\ndriver as the interrupt mask value is supposed to be controlled\ncompletely by the user space. If the mask bit gets changed\nby the driver, concurrently with user mode operating on the ring,\nthe mask bit may be set when it is supposed to be clear, and the\nuser-mode driver will miss an interrupt which will cause a hang.\n\nFor eg- when the driver sets inbound ring buffer interrupt mask to 1,\nthe host does not interrupt the guest on the UIO VMBus channel.\nHowever, setting the mask does not prevent the host from putting a\nmessage in the inbound ring buffer.\u00a0So let\u2019s assume that happens,\nthe host puts a message into the ring buffer but does not interrupt.\n\nSubsequently, the user space code in the guest sets the inbound ring\nbuffer interrupt mask to 0, saying \u201cHey, I\u2019m ready for interrupts\u201d.\nUser space code then calls pread() to wait for an interrupt.\nThen one of two things happens:\n\n* The host never sends another message. So the pread() waits forever.\n* The host does send another message. But because there\u2019s already a\n message in the ring buffer, it doesn\u2019t generate an interrupt.\n This is the correct behavior, because the host should only send an\n interrupt when the inbound ring buffer transitions from empty to\n not-empty. Adding an additional message to a ring buffer that is not\n empty is not supposed to generate an interrupt on the guest.\n Since the guest is waiting in pread() and not removing messages from\n the ring buffer, the pread() waits forever.\n\nThis could be easily reproduced in hv_fcopy_uio_daemon if we delay\nsetting interrupt mask to 0.\n\nSimilarly if hv_uio_channel_cb() sets the interrupt_mask to 1,\nthere\u2019s a race condition. Once user space empties the inbound ring\nbuffer, but before user space sets interrupt_mask to 0, the host could\nput another message in the ring buffer but it wouldn\u2019t interrupt.\nThen the next pread() would hang.\n\nFix these by removing all instances where interrupt_mask is changed,\nwhile keeping the one in set_event() unchanged to enable userspace\ncontrol the interrupt mask by writing 0/1 to /dev/uioX."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:53.799Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/540aac117eaea5723cef5e4cbf3035c4ac654d92"
},
{
"url": "https://git.kernel.org/stable/c/65d40acd911c7011745cbbd2aaac34eb5266d11e"
},
{
"url": "https://git.kernel.org/stable/c/a44f61f878f32071d6378e8dd7c2d47f9490c8f7"
},
{
"url": "https://git.kernel.org/stable/c/01ce972e6f9974a7c76943bcb7e93746917db83a"
},
{
"url": "https://git.kernel.org/stable/c/2af39ab5e6dc46b835a52e80a22d0cad430985e3"
},
{
"url": "https://git.kernel.org/stable/c/37bd91f22794dc05436130d6983302cb90ecfe7e"
},
{
"url": "https://git.kernel.org/stable/c/e29587c07537929684faa365027f4b0d87521e1b"
},
{
"url": "https://git.kernel.org/stable/c/b15b7d2a1b09ef5428a8db260251897405a19496"
}
],
"title": "uio_hv_generic: Let userspace take care of interrupt mask",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40048",
"datePublished": "2025-10-28T11:48:25.220Z",
"dateReserved": "2025-04-16T07:20:57.156Z",
"dateUpdated": "2025-12-01T06:16:53.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23404 (GCVE-0-2026-23404)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: replace recursive profile removal with iterative approach
The profile removal code uses recursion when removing nested profiles,
which can lead to kernel stack exhaustion and system crashes.
Reproducer:
$ pf='a'; for ((i=0; i<1024; i++)); do
echo -e "profile $pf { \n }" | apparmor_parser -K -a;
pf="$pf//x";
done
$ echo -n a > /sys/kernel/security/apparmor/.remove
Replace the recursive __aa_profile_list_release() approach with an
iterative approach in __remove_profile(). The function repeatedly
finds and removes leaf profiles until the entire subtree is removed,
maintaining the same removal semantic without recursion.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea854f032190cc9f26dc4a0e727090c89e55e342",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "4fdc847b107321dec22bf8ecd6019b7af76d7886",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "b36a04284d0208be94e5e401409caa00e2bf1be1",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "33959a491e9fd557abfa5fce5ae4637d400915d3",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "999bd704b0b641527a5ed46f0d969deff8cfa68b",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "7eade846e013cbe8d2dc4a484463aa19e6515c7f",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "a6a941a1294ac5abe22053dc501d25aed96e48fe",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "ab09264660f9de5d05d1ef4e225aa447c63a8747",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: replace recursive profile removal with iterative approach\n\nThe profile removal code uses recursion when removing nested profiles,\nwhich can lead to kernel stack exhaustion and system crashes.\n\nReproducer:\n $ pf=\u0027a\u0027; for ((i=0; i\u003c1024; i++)); do\n echo -e \"profile $pf { \\n }\" | apparmor_parser -K -a;\n pf=\"$pf//x\";\n done\n $ echo -n a \u003e /sys/kernel/security/apparmor/.remove\n\nReplace the recursive __aa_profile_list_release() approach with an\niterative approach in __remove_profile(). The function repeatedly\nfinds and removes leaf profiles until the entire subtree is removed,\nmaintaining the same removal semantic without recursion."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:37.883Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea854f032190cc9f26dc4a0e727090c89e55e342"
},
{
"url": "https://git.kernel.org/stable/c/4fdc847b107321dec22bf8ecd6019b7af76d7886"
},
{
"url": "https://git.kernel.org/stable/c/b36a04284d0208be94e5e401409caa00e2bf1be1"
},
{
"url": "https://git.kernel.org/stable/c/33959a491e9fd557abfa5fce5ae4637d400915d3"
},
{
"url": "https://git.kernel.org/stable/c/999bd704b0b641527a5ed46f0d969deff8cfa68b"
},
{
"url": "https://git.kernel.org/stable/c/7eade846e013cbe8d2dc4a484463aa19e6515c7f"
},
{
"url": "https://git.kernel.org/stable/c/a6a941a1294ac5abe22053dc501d25aed96e48fe"
},
{
"url": "https://git.kernel.org/stable/c/ab09264660f9de5d05d1ef4e225aa447c63a8747"
}
],
"title": "apparmor: replace recursive profile removal with iterative approach",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23404",
"datePublished": "2026-04-01T08:36:35.032Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-18T08:58:37.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71190 (GCVE-0-2025-71190)
Vulnerability from cvelistv5
Published
2026-01-31 11:42
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: bcm-sba-raid: fix device leak on probe
Make sure to drop the reference taken when looking up the mailbox device
during probe on probe failures and on driver unbind.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b Version: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b Version: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b Version: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b Version: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b Version: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b Version: 743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/bcm-sba-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4316e4c4fd2c09f68a262365f21847cafa8fe9dd",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "4730f12a192d7314119b3d8331611ab151b87bdf",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "bc98e68adfef3b25c06ff08f0808bb59f787420c",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "c80ca7bdff158401440741bdcf9175bd8608580b",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "db6f1d6d31711e73e6a214c73e6a8fb4cda0483d",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
},
{
"lessThan": "7c3a46ebf15a9796b763a54272407fdbf945bed8",
"status": "affected",
"version": "743e1c8ffe4ee5dd7596556dcc3f022ccde13d7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/bcm-sba-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: bcm-sba-raid: fix device leak on probe\n\nMake sure to drop the reference taken when looking up the mailbox device\nduring probe on probe failures and on driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:14.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4316e4c4fd2c09f68a262365f21847cafa8fe9dd"
},
{
"url": "https://git.kernel.org/stable/c/4730f12a192d7314119b3d8331611ab151b87bdf"
},
{
"url": "https://git.kernel.org/stable/c/bc98e68adfef3b25c06ff08f0808bb59f787420c"
},
{
"url": "https://git.kernel.org/stable/c/c80ca7bdff158401440741bdcf9175bd8608580b"
},
{
"url": "https://git.kernel.org/stable/c/db6f1d6d31711e73e6a214c73e6a8fb4cda0483d"
},
{
"url": "https://git.kernel.org/stable/c/2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b"
},
{
"url": "https://git.kernel.org/stable/c/7c3a46ebf15a9796b763a54272407fdbf945bed8"
}
],
"title": "dmaengine: bcm-sba-raid: fix device leak on probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71190",
"datePublished": "2026-01-31T11:42:01.092Z",
"dateReserved": "2026-01-31T11:36:51.189Z",
"dateUpdated": "2026-02-09T08:36:14.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21735 (GCVE-0-2025-21735)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFC: nci: Add bounds checking in nci_hci_create_pipe()
The "pipe" variable is a u8 which comes from the network. If it's more
than 127, then it results in memory corruption in the caller,
nci_hci_connect_gate().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:40.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/hci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd249109d266f1d52548c46634a15b71656e0d44",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "674e17c5933779a8bf5c15d596fdfcb5ccdebbc2",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "10b3f947b609713e04022101f492d288a014ddfa",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "d5a461c315e5ff92657f84d8ba50caa5abf5c22a",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "2ae4bade5a64d126bd18eb66bd419005c5550218",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "59c7ed20217c0939862fbf8145bc49d5b3a13f4f",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "110b43ef05342d5a11284cc8b21582b698b4ef1c",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/hci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: Add bounds checking in nci_hci_create_pipe()\n\nThe \"pipe\" variable is a u8 which comes from the network. If it\u0027s more\nthan 127, then it results in memory corruption in the caller,\nnci_hci_connect_gate()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:02.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd249109d266f1d52548c46634a15b71656e0d44"
},
{
"url": "https://git.kernel.org/stable/c/674e17c5933779a8bf5c15d596fdfcb5ccdebbc2"
},
{
"url": "https://git.kernel.org/stable/c/10b3f947b609713e04022101f492d288a014ddfa"
},
{
"url": "https://git.kernel.org/stable/c/d5a461c315e5ff92657f84d8ba50caa5abf5c22a"
},
{
"url": "https://git.kernel.org/stable/c/172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e"
},
{
"url": "https://git.kernel.org/stable/c/2ae4bade5a64d126bd18eb66bd419005c5550218"
},
{
"url": "https://git.kernel.org/stable/c/59c7ed20217c0939862fbf8145bc49d5b3a13f4f"
},
{
"url": "https://git.kernel.org/stable/c/110b43ef05342d5a11284cc8b21582b698b4ef1c"
}
],
"title": "NFC: nci: Add bounds checking in nci_hci_create_pipe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21735",
"datePublished": "2025-02-27T02:12:12.202Z",
"dateReserved": "2024-12-29T08:45:45.756Z",
"dateUpdated": "2025-11-03T19:36:40.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40314 (GCVE-0-2025-40314)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2025-12-20 08:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget
structure (pdev->gadget) was freed before its endpoints.
The endpoints are linked via the ep_list in the gadget structure.
Freeing the gadget first leaves dangling pointers in the endpoint list.
When the endpoints are subsequently freed, this results in a use-after-free.
Fix:
By separating the usb_del_gadget_udc() operation into distinct "del" and
"put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the
final release of the gadget structure with usb_put_gadget().
A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure
only after freeing endpoints").
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8bc1901ca7b07d864fca11461b3875b31f949765 Version: 8bc1901ca7b07d864fca11461b3875b31f949765 Version: 8bc1901ca7b07d864fca11461b3875b31f949765 Version: 8bc1901ca7b07d864fca11461b3875b31f949765 Version: 8bc1901ca7b07d864fca11461b3875b31f949765 Version: 8bc1901ca7b07d864fca11461b3875b31f949765 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdnsp-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cf9a50af91fbdac3849f8d950e883a3eaa3ecea",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "37158ce6ba964b62d1e3eebd11f03c6900a52dd1",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "ea37884097a0931abb8e11e40eacfb25e9fdb5e9",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "9c52f01429c377a2d32cafc977465f37b5384f77",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "fdf573c517627a96f5040f988e9b21267806be5c",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "87c5ff5615dc0a37167e8faf3adeeddc6f1344a3",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdnsp-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget\n\nIn the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget\nstructure (pdev-\u003egadget) was freed before its endpoints.\nThe endpoints are linked via the ep_list in the gadget structure.\nFreeing the gadget first leaves dangling pointers in the endpoint list.\nWhen the endpoints are subsequently freed, this results in a use-after-free.\n\nFix:\nBy separating the usb_del_gadget_udc() operation into distinct \"del\" and\n\"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the\nfinal release of the gadget structure with usb_put_gadget().\n\nA patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure\n only after freeing endpoints\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:04.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cf9a50af91fbdac3849f8d950e883a3eaa3ecea"
},
{
"url": "https://git.kernel.org/stable/c/37158ce6ba964b62d1e3eebd11f03c6900a52dd1"
},
{
"url": "https://git.kernel.org/stable/c/ea37884097a0931abb8e11e40eacfb25e9fdb5e9"
},
{
"url": "https://git.kernel.org/stable/c/9c52f01429c377a2d32cafc977465f37b5384f77"
},
{
"url": "https://git.kernel.org/stable/c/fdf573c517627a96f5040f988e9b21267806be5c"
},
{
"url": "https://git.kernel.org/stable/c/87c5ff5615dc0a37167e8faf3adeeddc6f1344a3"
}
],
"title": "usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40314",
"datePublished": "2025-12-08T00:46:40.576Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:52:04.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39969 (GCVE-0-2025-39969)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix validation of VF state in get resources
VF state I40E_VF_STATE_ACTIVE is not the only state in which
VF is actually active so it should not be used to determine
if a VF is allowed to obtain resources.
Use I40E_VF_STATE_RESOURCES_LOADED that is set only in
i40e_vc_get_vf_resources_msg() and cleared during reset.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 171527da84149c2c7aa6a60a64b09d24f3546298 Version: eb87117c27e729b0aeef4d72ed40d6a1761b0f68 Version: 2132643b956f553f5abddc9bae20dae267b082e0 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 Version: 61125b8be85dfbc7e9c7fe1cc6c6d631ab603516 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c",
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "185745d56ec958bf8aa773828213237dfcc32f5a",
"status": "affected",
"version": "171527da84149c2c7aa6a60a64b09d24f3546298",
"versionType": "git"
},
{
"lessThan": "f47876788a23de296c42ef9d505b5c1630f0b4b8",
"status": "affected",
"version": "eb87117c27e729b0aeef4d72ed40d6a1761b0f68",
"versionType": "git"
},
{
"lessThan": "8e35c80f8570426fe0f0cc92b151ebd835975f22",
"status": "affected",
"version": "2132643b956f553f5abddc9bae20dae267b082e0",
"versionType": "git"
},
{
"lessThan": "6c3981fd59ef11a75005ac9978f034da5a168b6a",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "e748f1ee493f88e38b77363a60499f979d42c58a",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "6128bbc7adc25c87c2f64b5eb66a280b78ef7ab7",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "a991dc56d3e9a2c3db87d0c3f03c24f6595400f1",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
},
{
"lessThan": "877b7e6ffc23766448236e8732254534c518ba42",
"status": "affected",
"version": "61125b8be85dfbc7e9c7fe1cc6c6d631ab603516",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c",
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.10.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix validation of VF state in get resources\n\nVF state I40E_VF_STATE_ACTIVE is not the only state in which\nVF is actually active so it should not be used to determine\nif a VF is allowed to obtain resources.\n\nUse I40E_VF_STATE_RESOURCES_LOADED that is set only in\ni40e_vc_get_vf_resources_msg() and cleared during reset."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:52.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/185745d56ec958bf8aa773828213237dfcc32f5a"
},
{
"url": "https://git.kernel.org/stable/c/f47876788a23de296c42ef9d505b5c1630f0b4b8"
},
{
"url": "https://git.kernel.org/stable/c/8e35c80f8570426fe0f0cc92b151ebd835975f22"
},
{
"url": "https://git.kernel.org/stable/c/6c3981fd59ef11a75005ac9978f034da5a168b6a"
},
{
"url": "https://git.kernel.org/stable/c/e748f1ee493f88e38b77363a60499f979d42c58a"
},
{
"url": "https://git.kernel.org/stable/c/6128bbc7adc25c87c2f64b5eb66a280b78ef7ab7"
},
{
"url": "https://git.kernel.org/stable/c/a991dc56d3e9a2c3db87d0c3f03c24f6595400f1"
},
{
"url": "https://git.kernel.org/stable/c/877b7e6ffc23766448236e8732254534c518ba42"
}
],
"title": "i40e: fix validation of VF state in get resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39969",
"datePublished": "2025-10-15T07:55:52.948Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:52.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-71105 (GCVE-0-2025-71105)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: use global inline_xattr_slab instead of per-sb slab cache
As Hong Yun reported in mailing list:
loop7: detected capacity change from 0 to 131072
------------[ cut here ]------------
kmem_cache of name 'f2fs_xattr_entry-7:7' already exists
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
Call Trace:
__kmem_cache_create include/linux/slab.h:353 [inline]
f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]
f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843
f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918
get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692
vfs_get_tree+0x43/0x140 fs/super.c:1815
do_new_mount+0x201/0x550 fs/namespace.c:3808
do_mount fs/namespace.c:4136 [inline]
__do_sys_mount fs/namespace.c:4347 [inline]
__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug can be reproduced w/ below scripts:
- mount /dev/vdb /mnt1
- mount /dev/vdc /mnt2
- umount /mnt1
- mounnt /dev/vdb /mnt1
The reason is if we created two slab caches, named f2fs_xattr_entry-7:3
and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,
slab system will only create one slab cache core structure which has
slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same
structure and cache address.
So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will
decrease reference count of slab cache, rather than release slab cache
entirely, since there is one more user has referenced the cache.
Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,
slab system will find that there is existed cache which has the same name
and trigger the warning.
Let's changes to use global inline_xattr_slab instead of per-sb slab cache
for fixing.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a999150f4fe3abbb7efd05411fd5b460be699943 Version: a999150f4fe3abbb7efd05411fd5b460be699943 Version: a999150f4fe3abbb7efd05411fd5b460be699943 Version: a999150f4fe3abbb7efd05411fd5b460be699943 Version: a999150f4fe3abbb7efd05411fd5b460be699943 Version: a999150f4fe3abbb7efd05411fd5b460be699943 Version: a999150f4fe3abbb7efd05411fd5b460be699943 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c",
"fs/f2fs/xattr.c",
"fs/f2fs/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d30fe19660dec6bf1bd3d5c186c1c737b21aa5",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "474cc3ed37436ddfd63cac8dbffe3b1e219e9100",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "72ce19dfed162da6e430467333b2da70471d08a4",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "1eb0b130196bcbc56c5c80c83139fa70c0aa82c5",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "e6d828eae00ec192e18c2ddaa2fd32050a96048a",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
},
{
"lessThan": "1f27ef42bb0b7c0740c5616ec577ec188b8a1d05",
"status": "affected",
"version": "a999150f4fe3abbb7efd05411fd5b460be699943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c",
"fs/f2fs/xattr.c",
"fs/f2fs/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: use global inline_xattr_slab instead of per-sb slab cache\n\nAs Hong Yun reported in mailing list:\n\nloop7: detected capacity change from 0 to 131072\n------------[ cut here ]------------\nkmem_cache of name \u0027f2fs_xattr_entry-7:7\u0027 already exists\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nRIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCall Trace:\n\u00a0__kmem_cache_create include/linux/slab.h:353 [inline]\n\u00a0f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]\n\u00a0f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843\n\u00a0f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918\n\u00a0get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692\n\u00a0vfs_get_tree+0x43/0x140 fs/super.c:1815\n\u00a0do_new_mount+0x201/0x550 fs/namespace.c:3808\n\u00a0do_mount fs/namespace.c:4136 [inline]\n\u00a0__do_sys_mount fs/namespace.c:4347 [inline]\n\u00a0__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324\n\u00a0do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n\u00a0do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94\n\u00a0entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug can be reproduced w/ below scripts:\n- mount /dev/vdb /mnt1\n- mount /dev/vdc /mnt2\n- umount /mnt1\n- mounnt /dev/vdb /mnt1\n\nThe reason is if we created two slab caches, named f2fs_xattr_entry-7:3\nand f2fs_xattr_entry-7:7, and they have the same slab size. Actually,\nslab system will only create one slab cache core structure which has\nslab name of \"f2fs_xattr_entry-7:3\", and two slab caches share the same\nstructure and cache address.\n\nSo, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will\ndecrease reference count of slab cache, rather than release slab cache\nentirely, since there is one more user has referenced the cache.\n\nThen, if we try to create slab cache w/ name \"f2fs_xattr_entry-7:3\" again,\nslab system will find that there is existed cache which has the same name\nand trigger the warning.\n\nLet\u0027s changes to use global inline_xattr_slab instead of per-sb slab cache\nfor fixing."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:58.276Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5"
},
{
"url": "https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100"
},
{
"url": "https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4"
},
{
"url": "https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a"
},
{
"url": "https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5"
},
{
"url": "https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a"
},
{
"url": "https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05"
}
],
"title": "f2fs: use global inline_xattr_slab instead of per-sb slab cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71105",
"datePublished": "2026-01-14T15:05:54.510Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-02-09T08:34:58.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71148 (GCVE-0-2025-71148)
Vulnerability from cvelistv5
Published
2026-01-23 14:15
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/handshake: restore destructor on submit failure
handshake_req_submit() replaces sk->sk_destruct but never restores it when
submission fails before the request is hashed. handshake_sk_destruct() then
returns early and the original destructor never runs, leaking the socket.
Restore sk_destruct on the error path.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd8cf2be3717137554744233fda051ffc09d1d44",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "7b82a1d6ae869533d8bdb0282a3a78faed8e63dd",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "b225325be7b247c7268e65eea6090db1fc786d1f",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "6af2a01d65f89e73c1cbb9267f8880d83a88cee4",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: restore destructor on submit failure\n\nhandshake_req_submit() replaces sk-\u003esk_destruct but never restores it when\nsubmission fails before the request is hashed. handshake_sk_destruct() then\nreturns early and the original destructor never runs, leaking the socket.\nRestore sk_destruct on the error path."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:45.279Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd8cf2be3717137554744233fda051ffc09d1d44"
},
{
"url": "https://git.kernel.org/stable/c/7b82a1d6ae869533d8bdb0282a3a78faed8e63dd"
},
{
"url": "https://git.kernel.org/stable/c/b225325be7b247c7268e65eea6090db1fc786d1f"
},
{
"url": "https://git.kernel.org/stable/c/6af2a01d65f89e73c1cbb9267f8880d83a88cee4"
}
],
"title": "net/handshake: restore destructor on submit failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71148",
"datePublished": "2026-01-23T14:15:14.963Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:45.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71077 (GCVE-0-2025-71077)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: Cap the number of PCR banks
tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bcfff8384f6c4e6627676ef07ccad9cfacd67849 Version: bcfff8384f6c4e6627676ef07ccad9cfacd67849 Version: bcfff8384f6c4e6627676ef07ccad9cfacd67849 Version: bcfff8384f6c4e6627676ef07ccad9cfacd67849 Version: bcfff8384f6c4e6627676ef07ccad9cfacd67849 Version: bcfff8384f6c4e6627676ef07ccad9cfacd67849 Version: bcfff8384f6c4e6627676ef07ccad9cfacd67849 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm1-cmd.c",
"drivers/char/tpm/tpm2-cmd.c",
"include/linux/tpm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ceee7288152bc121a6bf92997261838c78bfe06",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "275c686f1e3cc056ec66c764489ec1fe1e51b950",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "ceb70d31da5671d298bad94ae6c20e4bbb800f96",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "d88481653d74d622d1d0d2c9bad845fc2cc6fd23",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "b69492161c056d36789aee42a87a33c18c8ed5e1",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "858344bc9210bea9ab2bdc7e9e331ba84c164e50",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "faf07e611dfa464b201223a7253e9dc5ee0f3c9e",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm1-cmd.c",
"drivers/char/tpm/tpm2-cmd.c",
"include/linux/tpm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Cap the number of PCR banks\n\ntpm2_get_pcr_allocation() does not cap any upper limit for the number of\nbanks. Cap the limit to eight banks so that out of bounds values coming\nfrom external I/O cause on only limited harm."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:28.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06"
},
{
"url": "https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950"
},
{
"url": "https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96"
},
{
"url": "https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23"
},
{
"url": "https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1"
},
{
"url": "https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50"
},
{
"url": "https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e"
}
],
"title": "tpm: Cap the number of PCR banks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71077",
"datePublished": "2026-01-13T15:31:29.435Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:28.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68200 (GCVE-0-2025-68200)
Vulnerability from cvelistv5
Published
2025-12-16 13:48
Modified
2025-12-16 13:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Add bpf_prog_run_data_pointers()
syzbot found that cls_bpf_classify() is able to change
tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
Extend qdisc control block with tc control block"), which added a wrong
interaction with db58ba459202 ("bpf: wire in data and data_end for
cls_act_bpf").
drop_reason was added later.
Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
storage colliding with BPF data_meta/data_end.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0d76daf2013ce1da20eab5e26bd81d983e1c18fb Version: ec624fe740b416fb68d536b37fb8eef46f90b5c2 Version: ec624fe740b416fb68d536b37fb8eef46f90b5c2 Version: ec624fe740b416fb68d536b37fb8eef46f90b5c2 Version: ec624fe740b416fb68d536b37fb8eef46f90b5c2 Version: ec624fe740b416fb68d536b37fb8eef46f90b5c2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"net/sched/act_bpf.c",
"net/sched/cls_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4cdd143c35974a2cedd000fa9eb3accc3023b20",
"status": "affected",
"version": "0d76daf2013ce1da20eab5e26bd81d983e1c18fb",
"versionType": "git"
},
{
"lessThan": "5e149d8a8e732126fb6014efd60075cf63a73f91",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
},
{
"lessThan": "baa61dcaa50b7141048c8d2aede7fe9ed8f21d11",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
},
{
"lessThan": "6392e5f4b1a3cce10e828309baf35d22abd3457d",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
},
{
"lessThan": "8dd2fe5f5d586c8e87307b7a271f6b994afcc006",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
},
{
"lessThan": "4ef92743625818932b9c320152b58274c05e5053",
"status": "affected",
"version": "ec624fe740b416fb68d536b37fb8eef46f90b5c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"net/sched/act_bpf.c",
"net/sched/cls_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add bpf_prog_run_data_pointers()\n\nsyzbot found that cls_bpf_classify() is able to change\ntc_skb_cb(skb)-\u003edrop_reason triggering a warning in sk_skb_reason_drop().\n\nWARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]\nWARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214\n\nstruct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched:\nExtend qdisc control block with tc control block\"), which added a wrong\ninteraction with db58ba459202 (\"bpf: wire in data and data_end for\ncls_act_bpf\").\n\ndrop_reason was added later.\n\nAdd bpf_prog_run_data_pointers() helper to save/restore the net_sched\nstorage colliding with BPF data_meta/data_end."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:28.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4cdd143c35974a2cedd000fa9eb3accc3023b20"
},
{
"url": "https://git.kernel.org/stable/c/5e149d8a8e732126fb6014efd60075cf63a73f91"
},
{
"url": "https://git.kernel.org/stable/c/baa61dcaa50b7141048c8d2aede7fe9ed8f21d11"
},
{
"url": "https://git.kernel.org/stable/c/6392e5f4b1a3cce10e828309baf35d22abd3457d"
},
{
"url": "https://git.kernel.org/stable/c/8dd2fe5f5d586c8e87307b7a271f6b994afcc006"
},
{
"url": "https://git.kernel.org/stable/c/4ef92743625818932b9c320152b58274c05e5053"
}
],
"title": "bpf: Add bpf_prog_run_data_pointers()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68200",
"datePublished": "2025-12-16T13:48:28.793Z",
"dateReserved": "2025-12-16T13:41:40.254Z",
"dateUpdated": "2025-12-16T13:48:28.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40312 (GCVE-0-2025-40312)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: Verify inode mode when loading from disk
The inode mode loaded from corrupted disk can be invalid. Do like what
commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk")
does.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19cce65709a8a2966203653028d9004e28e85bd5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fabc1348bb8fe6bc80850014ee94bd89945f7f4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2870a7dec49ccdc3f6ae35da8f5d6737f21133a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce054a366c54992185c9514e489a14f145b10c29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1795277a4e98d82e6451544d43695540cee042ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d6a9cbd276b3b85da0e7e98208f89416fed9265",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a5aa54fba2bd591b22b9b624e6baa9037276986",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Verify inode mode when loading from disk\n\nThe inode mode loaded from corrupted disk can be invalid. Do like what\ncommit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\")\ndoes."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:32.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19cce65709a8a2966203653028d9004e28e85bd5"
},
{
"url": "https://git.kernel.org/stable/c/fabc1348bb8fe6bc80850014ee94bd89945f7f4d"
},
{
"url": "https://git.kernel.org/stable/c/46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f"
},
{
"url": "https://git.kernel.org/stable/c/2870a7dec49ccdc3f6ae35da8f5d6737f21133a8"
},
{
"url": "https://git.kernel.org/stable/c/ce054a366c54992185c9514e489a14f145b10c29"
},
{
"url": "https://git.kernel.org/stable/c/1795277a4e98d82e6451544d43695540cee042ea"
},
{
"url": "https://git.kernel.org/stable/c/8d6a9cbd276b3b85da0e7e98208f89416fed9265"
},
{
"url": "https://git.kernel.org/stable/c/7a5aa54fba2bd591b22b9b624e6baa9037276986"
}
],
"title": "jfs: Verify inode mode when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40312",
"datePublished": "2025-12-08T00:46:38.147Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:32.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40279 (GCVE-0-2025-40279)
Vulnerability from cvelistv5
Published
2025-12-06 21:51
Modified
2025-12-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.
Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae Version: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae Version: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae Version: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae Version: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae Version: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_connmark.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "218b67c8c8246d47a2a7910eae80abe4861fe2b7",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "73cc56c608c209d3d666cc571293b090a471da70",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "31e4aa93e2e5b5647fc235b0f6ee329646878f9e",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "51cb05d4fd632596816ba44e882e84db9fb28a7e",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "25837889ec062f2b7618142cd80253dff3da5343",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "62b656e43eaeae445a39cd8021a4f47065af4389",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_connmark.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_connmark: initialize struct tc_ife to fix kernel leak\n\nIn tcf_connmark_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:03.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/218b67c8c8246d47a2a7910eae80abe4861fe2b7"
},
{
"url": "https://git.kernel.org/stable/c/73cc56c608c209d3d666cc571293b090a471da70"
},
{
"url": "https://git.kernel.org/stable/c/31e4aa93e2e5b5647fc235b0f6ee329646878f9e"
},
{
"url": "https://git.kernel.org/stable/c/51cb05d4fd632596816ba44e882e84db9fb28a7e"
},
{
"url": "https://git.kernel.org/stable/c/25837889ec062f2b7618142cd80253dff3da5343"
},
{
"url": "https://git.kernel.org/stable/c/62b656e43eaeae445a39cd8021a4f47065af4389"
}
],
"title": "net: sched: act_connmark: initialize struct tc_ife to fix kernel leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40279",
"datePublished": "2025-12-06T21:51:03.010Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:03.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40204 (GCVE-0-2025-40204)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-12-01 06:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Fix MAC comparison to be constant-time
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b93fa8dc521d00d2d44bf034fb90e0d79b036617",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0e8b8c326c2a6de4d837b1bb034ea704f4690d77",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c05d44ec24126fc283835b68f82dba3ae985209",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed3044b9c810c5c24eb2830053fbfe5fd134c5d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8019b3699289fce3f10b63f98601db97b8d105b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b32ff285ff6f6f1ac1d9495787ccce8837d6405",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd91c79e4f58fbe2898dac84858033700e0e99fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:07.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617"
},
{
"url": "https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77"
},
{
"url": "https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c"
},
{
"url": "https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209"
},
{
"url": "https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4"
},
{
"url": "https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0"
},
{
"url": "https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405"
},
{
"url": "https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb"
}
],
"title": "sctp: Fix MAC comparison to be constant-time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40204",
"datePublished": "2025-11-12T21:56:35.110Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:07.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40070 (GCVE-0-2025-40070)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pps: fix warning in pps_register_cdev when register device fail
Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error
handling in __video_register_device()"), the release hook should be set
before device_register(). Otherwise, when device_register() return error
and put_device() try to callback the release function, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567
Modules linked in:
CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE
RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567
Call Trace:
<TASK>
kobject_cleanup+0x136/0x410 lib/kobject.c:689
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe9/0x130 lib/kobject.c:737
put_device+0x24/0x30 drivers/base/core.c:3797
pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402
pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108
pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57
tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432
tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563
tiocsetd drivers/tty/tty_io.c:2429 [inline]
tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),
pps_register_cdev() call device_create() to create pps->dev, which will
init dev->release to device_create_release(). Now the comment is outdated,
just remove it.
Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed
in pps_register_source() to avoid a double free in the failure case.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 785c78ed0d39d1717cca3ef931d3e51337b5e90e Version: 1a7735ab2cb9747518a7416fb5929e85442dec62 Version: c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7 Version: 91932db1d96b2952299ce30c1c693d834d10ace6 Version: cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64 Version: 7e5ee3281dc09014367f5112b6d566ba36ea2d49 Version: c79a39dc8d060b9e64e8b0fa9d245d44befeefbe Version: c79a39dc8d060b9e64e8b0fa9d245d44befeefbe Version: 85241f7de216f8298f6e48540ea13d7dcd100870 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38c7bb10aae5118dd48fa7a82f7bf93839bcc320",
"status": "affected",
"version": "785c78ed0d39d1717cca3ef931d3e51337b5e90e",
"versionType": "git"
},
{
"lessThan": "2a194707ca27a3b0523023fa8b446e5ec922dc51",
"status": "affected",
"version": "1a7735ab2cb9747518a7416fb5929e85442dec62",
"versionType": "git"
},
{
"lessThan": "125527db41805693208ee1aacd7f3ffe6a3a489c",
"status": "affected",
"version": "c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7",
"versionType": "git"
},
{
"lessThan": "4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8",
"status": "affected",
"version": "91932db1d96b2952299ce30c1c693d834d10ace6",
"versionType": "git"
},
{
"lessThan": "cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e",
"status": "affected",
"version": "cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64",
"versionType": "git"
},
{
"lessThan": "f01fa3588e0b3cb1540f56d2c6bd99e5b3810234",
"status": "affected",
"version": "7e5ee3281dc09014367f5112b6d566ba36ea2d49",
"versionType": "git"
},
{
"lessThan": "0f97564a1fb62f34b3b498e2f12caffbe99c004a",
"status": "affected",
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"versionType": "git"
},
{
"lessThan": "b0531cdba5029f897da5156815e3bdafe1e9b88d",
"status": "affected",
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"versionType": "git"
},
{
"status": "affected",
"version": "85241f7de216f8298f6e48540ea13d7dcd100870",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: fix warning in pps_register_cdev when register device fail\n\nSimilar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error\nhandling in __video_register_device()\"), the release hook should be set\nbefore device_register(). Otherwise, when device_register() return error\nand put_device() try to callback the release function, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567\n Modules linked in:\n CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE\n RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567\n Call Trace:\n \u003cTASK\u003e\n kobject_cleanup+0x136/0x410 lib/kobject.c:689\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0xe9/0x130 lib/kobject.c:737\n put_device+0x24/0x30 drivers/base/core.c:3797\n pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402\n pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108\n pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57\n tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432\n tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563\n tiocsetd drivers/tty/tty_io.c:2429 [inline]\n tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nBefore commit c79a39dc8d06 (\"pps: Fix a use-after-free\"),\npps_register_cdev() call device_create() to create pps-\u003edev, which will\ninit dev-\u003erelease to device_create_release(). Now the comment is outdated,\njust remove it.\n\nThanks for the reminder from Calvin Owens, \u0027kfree_pps\u0027 should be removed\nin pps_register_source() to avoid a double free in the failure case."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:24.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38c7bb10aae5118dd48fa7a82f7bf93839bcc320"
},
{
"url": "https://git.kernel.org/stable/c/2a194707ca27a3b0523023fa8b446e5ec922dc51"
},
{
"url": "https://git.kernel.org/stable/c/125527db41805693208ee1aacd7f3ffe6a3a489c"
},
{
"url": "https://git.kernel.org/stable/c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8"
},
{
"url": "https://git.kernel.org/stable/c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e"
},
{
"url": "https://git.kernel.org/stable/c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234"
},
{
"url": "https://git.kernel.org/stable/c/0f97564a1fb62f34b3b498e2f12caffbe99c004a"
},
{
"url": "https://git.kernel.org/stable/c/b0531cdba5029f897da5156815e3bdafe1e9b88d"
}
],
"title": "pps: fix warning in pps_register_cdev when register device fail",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40070",
"datePublished": "2025-10-28T11:48:38.838Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:24.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23083 (GCVE-0-2026-23083)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fou: Don't allow 0 for FOU_ATTR_IPPROTO.
fou_udp_recv() has the same problem mentioned in the previous
patch.
If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
Let's forbid 0 for FOU_ATTR_IPPROTO.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 23461551c00628c3f3fe9cf837bf53cf8f212b63 Version: 23461551c00628c3f3fe9cf837bf53cf8f212b63 Version: 23461551c00628c3f3fe9cf837bf53cf8f212b63 Version: 23461551c00628c3f3fe9cf837bf53cf8f212b63 Version: 23461551c00628c3f3fe9cf837bf53cf8f212b63 Version: 23461551c00628c3f3fe9cf837bf53cf8f212b63 Version: 23461551c00628c3f3fe9cf837bf53cf8f212b63 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"Documentation/netlink/specs/fou.yaml",
"net/ipv4/fou_nl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7498f9bc390479ccfad7c7f2332237ff4945b03",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "6e983789b7588ee59cbf303583546c043bad8e19",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "1cc98b8887cabb1808d2f4a37cd10a7be7574771",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "b7db31a52c3862a1a32202a273a4c32e7f5f4823",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "9b75dff8446ec871030d8daf5a69e74f5fe8b956",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"Documentation/netlink/specs/fou.yaml",
"net/ipv4/fou_nl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: Don\u0027t allow 0 for FOU_ATTR_IPPROTO.\n\nfou_udp_recv() has the same problem mentioned in the previous\npatch.\n\nIf FOU_ATTR_IPPROTO is set to 0, skb is not freed by\nfou_udp_recv() nor \"resubmit\"-ted in ip_protocol_deliver_rcu().\n\nLet\u0027s forbid 0 for FOU_ATTR_IPPROTO."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:23.034Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7498f9bc390479ccfad7c7f2332237ff4945b03"
},
{
"url": "https://git.kernel.org/stable/c/611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea"
},
{
"url": "https://git.kernel.org/stable/c/6e983789b7588ee59cbf303583546c043bad8e19"
},
{
"url": "https://git.kernel.org/stable/c/1cc98b8887cabb1808d2f4a37cd10a7be7574771"
},
{
"url": "https://git.kernel.org/stable/c/b7db31a52c3862a1a32202a273a4c32e7f5f4823"
},
{
"url": "https://git.kernel.org/stable/c/9b75dff8446ec871030d8daf5a69e74f5fe8b956"
},
{
"url": "https://git.kernel.org/stable/c/7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5"
}
],
"title": "fou: Don\u0027t allow 0 for FOU_ATTR_IPPROTO.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23083",
"datePublished": "2026-02-04T16:08:07.561Z",
"dateReserved": "2026-01-13T15:37:45.960Z",
"dateUpdated": "2026-02-09T08:38:23.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56640 (GCVE-0-2024-56640)
Vulnerability from cvelistv5
Published
2024-12-27 15:02
Modified
2025-11-03 20:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix LGR and link use-after-free issue
We encountered a LGR/link use-after-free issue, which manifested as
the LGR/link refcnt reaching 0 early and entering the clear process,
making resource access unsafe.
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140
Workqueue: events smc_lgr_terminate_work [smc]
Call trace:
refcount_warn_saturate+0x9c/0x140
__smc_lgr_terminate.part.45+0x2a8/0x370 [smc]
smc_lgr_terminate_work+0x28/0x30 [smc]
process_one_work+0x1b8/0x420
worker_thread+0x158/0x510
kthread+0x114/0x118
or
refcount_t: underflow; use-after-free.
WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140
Workqueue: smc_hs_wq smc_listen_work [smc]
Call trace:
refcount_warn_saturate+0xf0/0x140
smcr_link_put+0x1cc/0x1d8 [smc]
smc_conn_free+0x110/0x1b0 [smc]
smc_conn_abort+0x50/0x60 [smc]
smc_listen_find_device+0x75c/0x790 [smc]
smc_listen_work+0x368/0x8a0 [smc]
process_one_work+0x1b8/0x420
worker_thread+0x158/0x510
kthread+0x114/0x118
It is caused by repeated release of LGR/link refcnt. One suspect is that
smc_conn_free() is called repeatedly because some smc_conn_free() from
server listening path are not protected by sock lock.
e.g.
Calls under socklock | smc_listen_work
-------------------------------------------------------
lock_sock(sk) | smc_conn_abort
smc_conn_free | \- smc_conn_free
\- smcr_link_put | \- smcr_link_put (duplicated)
release_sock(sk)
So here add sock lock protection in smc_listen_work() path, making it
exclusive with other connection operations.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:41:51.231757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:22.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:51:40.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f502a88fdd415647a1f2dc45fac71b9c522a052b",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "0cf598548a6c36d90681d53c6b77d52363f2f295",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "673d606683ac70bc074ca6676b938bff18635226",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "6f0ae06a234a78ae137064f2c89135ac078a00eb",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix LGR and link use-after-free issue\n\nWe encountered a LGR/link use-after-free issue, which manifested as\nthe LGR/link refcnt reaching 0 early and entering the clear process,\nmaking resource access unsafe.\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140\n Workqueue: events smc_lgr_terminate_work [smc]\n Call trace:\n refcount_warn_saturate+0x9c/0x140\n __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]\n smc_lgr_terminate_work+0x28/0x30 [smc]\n process_one_work+0x1b8/0x420\n worker_thread+0x158/0x510\n kthread+0x114/0x118\n\nor\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140\n Workqueue: smc_hs_wq smc_listen_work [smc]\n Call trace:\n refcount_warn_saturate+0xf0/0x140\n smcr_link_put+0x1cc/0x1d8 [smc]\n smc_conn_free+0x110/0x1b0 [smc]\n smc_conn_abort+0x50/0x60 [smc]\n smc_listen_find_device+0x75c/0x790 [smc]\n smc_listen_work+0x368/0x8a0 [smc]\n process_one_work+0x1b8/0x420\n worker_thread+0x158/0x510\n kthread+0x114/0x118\n\nIt is caused by repeated release of LGR/link refcnt. One suspect is that\nsmc_conn_free() is called repeatedly because some smc_conn_free() from\nserver listening path are not protected by sock lock.\n\ne.g.\n\nCalls under socklock | smc_listen_work\n-------------------------------------------------------\nlock_sock(sk) | smc_conn_abort\nsmc_conn_free | \\- smc_conn_free\n\\- smcr_link_put | \\- smcr_link_put (duplicated)\nrelease_sock(sk)\n\nSo here add sock lock protection in smc_listen_work() path, making it\nexclusive with other connection operations."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:00:47.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b"
},
{
"url": "https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295"
},
{
"url": "https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226"
},
{
"url": "https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb"
},
{
"url": "https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7"
}
],
"title": "net/smc: fix LGR and link use-after-free issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56640",
"datePublished": "2024-12-27T15:02:42.253Z",
"dateReserved": "2024-12-27T15:00:39.839Z",
"dateUpdated": "2025-11-03T20:51:40.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68822 (GCVE-0-2025-68822)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: alps - fix use-after-free bugs caused by dev3_register_work
The dev3_register_work delayed work item is initialized within
alps_reconnect() and scheduled upon receipt of the first bare
PS/2 packet from an external PS/2 device connected to the ALPS
touchpad. During device detachment, the original implementation
calls flush_workqueue() in psmouse_disconnect() to ensure
completion of dev3_register_work. However, the flush_workqueue()
in psmouse_disconnect() only blocks and waits for work items that
were already queued to the workqueue prior to its invocation. Any
work items submitted after flush_workqueue() is called are not
included in the set of tasks that the flush operation awaits.
This means that after flush_workqueue() has finished executing,
the dev3_register_work could still be scheduled. Although the
psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),
the scheduling of dev3_register_work remains unaffected.
The race condition can occur as follows:
CPU 0 (cleanup path) | CPU 1 (delayed work)
psmouse_disconnect() |
psmouse_set_state() |
flush_workqueue() | alps_report_bare_ps2_packet()
alps_disconnect() | psmouse_queue_work()
kfree(priv); // FREE | alps_register_bare_ps2_mouse()
| priv = container_of(work...); // USE
| priv->dev3 // USE
Add disable_delayed_work_sync() in alps_disconnect() to ensure
that dev3_register_work is properly canceled and prevented from
executing after the alps_data structure has been deallocated.
This bug is identified by static analysis.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/mouse/alps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed8c61b89be0c45f029228b2913d5cf7b5cda1a7",
"status": "affected",
"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794",
"versionType": "git"
},
{
"lessThan": "a9c115e017b2c633d25bdfe6709dda6fc36f08c2",
"status": "affected",
"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794",
"versionType": "git"
},
{
"lessThan": "bf40644ef8c8a288742fa45580897ed0e0289474",
"status": "affected",
"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/mouse/alps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: alps - fix use-after-free bugs caused by dev3_register_work\n\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\n\nThe race condition can occur as follows:\n\nCPU 0 (cleanup path) | CPU 1 (delayed work)\npsmouse_disconnect() |\n psmouse_set_state() |\n flush_workqueue() | alps_report_bare_ps2_packet()\n alps_disconnect() | psmouse_queue_work()\n kfree(priv); // FREE | alps_register_bare_ps2_mouse()\n | priv = container_of(work...); // USE\n | priv-\u003edev3 // USE\n\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\n\nThis bug is identified by static analysis."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:12.385Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7"
},
{
"url": "https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2"
},
{
"url": "https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474"
}
],
"title": "Input: alps - fix use-after-free bugs caused by dev3_register_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68822",
"datePublished": "2026-01-13T15:29:24.703Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:12.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40231 (GCVE-0-2025-40231)
Vulnerability from cvelistv5
Published
2025-12-04 15:31
Modified
2025-12-04 15:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: fix lock inversion in vsock_assign_transport()
Syzbot reported a potential lock inversion deadlock between
vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.
The issue was introduced by commit 687aa0c5581b ("vsock: Fix
transport_* TOCTOU") which added vsock_register_mutex locking in
vsock_assign_transport() around the transport->release() call, that can
call vsock_linger(). vsock_assign_transport() can be called with sk_lock
held. vsock_linger() calls sk_wait_event() that temporarily releases and
re-acquires sk_lock. During this window, if another thread hold
vsock_register_mutex while trying to acquire sk_lock, a circular
dependency is created.
Fix this by releasing vsock_register_mutex before calling
transport->release() and vsock_deassign_transport(). This is safe
because we don't need to hold vsock_register_mutex while releasing the
old transport, and we ensure the new transport won't disappear by
obtaining a module reference first via try_module_get().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8667e8d0eb46bc54fdae30ba2f4786407d3d88eb Version: 36a439049b34cca0b3661276049b84a1f76cc21a Version: 9ce53e744f18e73059d3124070e960f3aa9902bf Version: 9d24bb6780282b0255b9929abe5e8f98007e2c6e Version: ae2c712ba39c7007de63cb0c75b51ce1caaf1da5 Version: 687aa0c5581b8d4aa87fd92973e4ee576b550cdf Version: 687aa0c5581b8d4aa87fd92973e4ee576b550cdf Version: 7b73bddf54777fb62d4d8c7729d0affe6df04477 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce4f856c64f0bc30e29302a0ce41f4295ca391c5",
"status": "affected",
"version": "8667e8d0eb46bc54fdae30ba2f4786407d3d88eb",
"versionType": "git"
},
{
"lessThan": "09bba278ccde25a14b6e5088a9e65a8717d0cccf",
"status": "affected",
"version": "36a439049b34cca0b3661276049b84a1f76cc21a",
"versionType": "git"
},
{
"lessThan": "b44182c116778feaa05da52a426aeb9da1878dcf",
"status": "affected",
"version": "9ce53e744f18e73059d3124070e960f3aa9902bf",
"versionType": "git"
},
{
"lessThan": "42ed0784d11adebf748711e503af0eb9f1e6d81d",
"status": "affected",
"version": "9d24bb6780282b0255b9929abe5e8f98007e2c6e",
"versionType": "git"
},
{
"lessThan": "251caee792a21eb0b781aab91362b422c945e162",
"status": "affected",
"version": "ae2c712ba39c7007de63cb0c75b51ce1caaf1da5",
"versionType": "git"
},
{
"lessThan": "a2a4346eea8b4cb75037dbcb20b98cb454324f80",
"status": "affected",
"version": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
"versionType": "git"
},
{
"lessThan": "f7c877e7535260cc7a21484c994e8ce7e8cb6780",
"status": "affected",
"version": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
"versionType": "git"
},
{
"status": "affected",
"version": "7b73bddf54777fb62d4d8c7729d0affe6df04477",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.15.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.1.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix lock inversion in vsock_assign_transport()\n\nSyzbot reported a potential lock inversion deadlock between\nvsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.\n\nThe issue was introduced by commit 687aa0c5581b (\"vsock: Fix\ntransport_* TOCTOU\") which added vsock_register_mutex locking in\nvsock_assign_transport() around the transport-\u003erelease() call, that can\ncall vsock_linger(). vsock_assign_transport() can be called with sk_lock\nheld. vsock_linger() calls sk_wait_event() that temporarily releases and\nre-acquires sk_lock. During this window, if another thread hold\nvsock_register_mutex while trying to acquire sk_lock, a circular\ndependency is created.\n\nFix this by releasing vsock_register_mutex before calling\ntransport-\u003erelease() and vsock_deassign_transport(). This is safe\nbecause we don\u0027t need to hold vsock_register_mutex while releasing the\nold transport, and we ensure the new transport won\u0027t disappear by\nobtaining a module reference first via try_module_get()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:22.199Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5"
},
{
"url": "https://git.kernel.org/stable/c/09bba278ccde25a14b6e5088a9e65a8717d0cccf"
},
{
"url": "https://git.kernel.org/stable/c/b44182c116778feaa05da52a426aeb9da1878dcf"
},
{
"url": "https://git.kernel.org/stable/c/42ed0784d11adebf748711e503af0eb9f1e6d81d"
},
{
"url": "https://git.kernel.org/stable/c/251caee792a21eb0b781aab91362b422c945e162"
},
{
"url": "https://git.kernel.org/stable/c/a2a4346eea8b4cb75037dbcb20b98cb454324f80"
},
{
"url": "https://git.kernel.org/stable/c/f7c877e7535260cc7a21484c994e8ce7e8cb6780"
}
],
"title": "vsock: fix lock inversion in vsock_assign_transport()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40231",
"datePublished": "2025-12-04T15:31:22.199Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:22.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68784 (GCVE-0-2025-68784)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix a UAF problem in xattr repair
The xchk_setup_xattr_buf function can allocate a new value buffer, which
means that any reference to ab->value before the call could become a
dangling pointer. Fix this by moving an assignment to after the buffer
setup.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/attr_repair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e2d3aa19c7962b9474b22893160cb460494c45f",
"status": "affected",
"version": "e47dcf113ae348678143cc935a1183059c02c9ad",
"versionType": "git"
},
{
"lessThan": "d29ed9ff972afe17c215cab171761d7a15d7063f",
"status": "affected",
"version": "e47dcf113ae348678143cc935a1183059c02c9ad",
"versionType": "git"
},
{
"lessThan": "5990fd756943836978ad184aac980e2b36ab7e01",
"status": "affected",
"version": "e47dcf113ae348678143cc935a1183059c02c9ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/attr_repair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix a UAF problem in xattr repair\n\nThe xchk_setup_xattr_buf function can allocate a new value buffer, which\nmeans that any reference to ab-\u003evalue before the call could become a\ndangling pointer. Fix this by moving an assignment to after the buffer\nsetup."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:30.771Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e2d3aa19c7962b9474b22893160cb460494c45f"
},
{
"url": "https://git.kernel.org/stable/c/d29ed9ff972afe17c215cab171761d7a15d7063f"
},
{
"url": "https://git.kernel.org/stable/c/5990fd756943836978ad184aac980e2b36ab7e01"
}
],
"title": "xfs: fix a UAF problem in xattr repair",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68784",
"datePublished": "2026-01-13T15:28:58.255Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:30.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23150 (GCVE-0-2026-23150)
Vulnerability from cvelistv5
Published
2026-02-14 16:01
Modified
2026-02-14 16:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
syzbot reported various memory leaks related to NFC, struct
nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
The leading log hinted that nfc_llcp_send_ui_frame() failed
to allocate skb due to sock_error(sk) being -ENXIO.
ENXIO is set by nfc_llcp_socket_release() when struct
nfc_llcp_local is destroyed by local_cleanup().
The problem is that there is no synchronisation between
nfc_llcp_send_ui_frame() and local_cleanup(), and skb
could be put into local->tx_queue after it was purged in
local_cleanup():
CPU1 CPU2
---- ----
nfc_llcp_send_ui_frame() local_cleanup()
|- do { '
|- pdu = nfc_alloc_send_skb(..., &err)
| .
| |- nfc_llcp_socket_release(local, false, ENXIO);
| |- skb_queue_purge(&local->tx_queue); |
| ' |
|- skb_queue_tail(&local->tx_queue, pdu); |
... |
|- pdu = nfc_alloc_send_skb(..., &err) |
^._________________________________.'
local_cleanup() is called for struct nfc_llcp_local only
after nfc_llcp_remove_local() unlinks it from llcp_devices.
If we hold local->tx_queue.lock then, we can synchronise
the thread and nfc_llcp_send_ui_frame().
Let's do that and check list_empty(&local->list) before
queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
[0]:
[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff8881272f6800 (size 1024):
comm "syz.0.17", pid 6096, jiffies 4294942766
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
backtrace (crc da58d84d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
sk_alloc+0x36/0x360 net/core/sock.c:2295
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
__sock_create+0x1a9/0x340 net/socket.c:1605
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xb9/0x1a0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x1b/0x30 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810fbd9800 (size 240):
comm "syz.0.17", pid 6096, jiffies 4294942850
hex dump (first 32 bytes):
68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
backtrace (crc 6cc652b1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/sk
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 94f418a206648c9be6fd84d6681d6956b8f8b106 Version: 94f418a206648c9be6fd84d6681d6956b8f8b106 Version: 94f418a206648c9be6fd84d6681d6956b8f8b106 Version: 94f418a206648c9be6fd84d6681d6956b8f8b106 Version: 94f418a206648c9be6fd84d6681d6956b8f8b106 Version: 94f418a206648c9be6fd84d6681d6956b8f8b106 Version: 94f418a206648c9be6fd84d6681d6956b8f8b106 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_commands.c",
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab660cb8e17aa93426d1e821c2cce60e4b9bc56a",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "6734ff1ac6beba1d0c22dc9a3dc1849b773b511f",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "f8d002626d434f5fea9085e2557711c16a15cec6",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "61858cbce6ca4bef9ed116c689a4be9520841339",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "165c34fb6068ff153e3fc99a932a80a9d5755709",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_commands.c",
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().\n\nsyzbot reported various memory leaks related to NFC, struct\nnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]\n\nThe leading log hinted that nfc_llcp_send_ui_frame() failed\nto allocate skb due to sock_error(sk) being -ENXIO.\n\nENXIO is set by nfc_llcp_socket_release() when struct\nnfc_llcp_local is destroyed by local_cleanup().\n\nThe problem is that there is no synchronisation between\nnfc_llcp_send_ui_frame() and local_cleanup(), and skb\ncould be put into local-\u003etx_queue after it was purged in\nlocal_cleanup():\n\n CPU1 CPU2\n ---- ----\n nfc_llcp_send_ui_frame() local_cleanup()\n |- do { \u0027\n |- pdu = nfc_alloc_send_skb(..., \u0026err)\n | .\n | |- nfc_llcp_socket_release(local, false, ENXIO);\n | |- skb_queue_purge(\u0026local-\u003etx_queue); |\n | \u0027 |\n |- skb_queue_tail(\u0026local-\u003etx_queue, pdu); |\n ... |\n |- pdu = nfc_alloc_send_skb(..., \u0026err) |\n ^._________________________________.\u0027\n\nlocal_cleanup() is called for struct nfc_llcp_local only\nafter nfc_llcp_remove_local() unlinks it from llcp_devices.\n\nIf we hold local-\u003etx_queue.lock then, we can synchronise\nthe thread and nfc_llcp_send_ui_frame().\n\nLet\u0027s do that and check list_empty(\u0026local-\u003elist) before\nqueuing skb to local-\u003etx_queue in nfc_llcp_send_ui_frame().\n\n[0]:\n[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)\n[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881272f6800 (size 1024):\n comm \"syz.0.17\", pid 6096, jiffies 4294942766\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 \u0027..@............\n backtrace (crc da58d84d):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658\n kmalloc_noprof include/linux/slab.h:961 [inline]\n sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239\n sk_alloc+0x36/0x360 net/core/sock.c:2295\n nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979\n llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044\n nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31\n __sock_create+0x1a9/0x340 net/socket.c:1605\n sock_create net/socket.c:1663 [inline]\n __sys_socket_create net/socket.c:1700 [inline]\n __sys_socket+0xb9/0x1a0 net/socket.c:1747\n __do_sys_socket net/socket.c:1761 [inline]\n __se_sys_socket net/socket.c:1759 [inline]\n __x64_sys_socket+0x1b/0x30 net/socket.c:1759\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBUG: memory leak\nunreferenced object 0xffff88810fbd9800 (size 240):\n comm \"syz.0.17\", pid 6096, jiffies 4294942850\n hex dump (first 32 bytes):\n 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......\n 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/\u0027....\n backtrace (crc 6cc652b1):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/sk\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:18.968Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a"
},
{
"url": "https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc"
},
{
"url": "https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f"
},
{
"url": "https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6"
},
{
"url": "https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5"
},
{
"url": "https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339"
},
{
"url": "https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709"
}
],
"title": "nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23150",
"datePublished": "2026-02-14T16:01:18.968Z",
"dateReserved": "2026-01-13T15:37:45.976Z",
"dateUpdated": "2026-02-14T16:01:18.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40154 (GCVE-0-2025-40154)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver only shows an error message but leaves as is.
This may lead to unepxected results like OOB access.
This patch corrects the input mapping to the certain default value if
an invalid value is passed.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 063422ca2a9de238401c3848c1b3641c07b6316c Version: 063422ca2a9de238401c3848c1b3641c07b6316c Version: 063422ca2a9de238401c3848c1b3641c07b6316c Version: 063422ca2a9de238401c3848c1b3641c07b6316c Version: 063422ca2a9de238401c3848c1b3641c07b6316c Version: 063422ca2a9de238401c3848c1b3641c07b6316c Version: 063422ca2a9de238401c3848c1b3641c07b6316c Version: 063422ca2a9de238401c3848c1b3641c07b6316c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5640.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "dea9c8c9028c9374761224a7f9d824e845a2aa2e",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "f58fca15f3bf8b982e799c31e4afa8923788aa40",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "29a41bf6422688f0c5a09b18222e1a64b2629fa4",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "5c03ea2ef4ebba75c69c90929d8590eb3d3797a9",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "48880f3cdf2b6d8dcd91219c5b5c8a7526411322",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
},
{
"lessThan": "fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0",
"status": "affected",
"version": "063422ca2a9de238401c3848c1b3641c07b6316c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5640.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver only shows an error message but leaves as is.\nThis may lead to unepxected results like OOB access.\n\nThis patch corrects the input mapping to the certain default value if\nan invalid value is passed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:04.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01"
},
{
"url": "https://git.kernel.org/stable/c/a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d"
},
{
"url": "https://git.kernel.org/stable/c/dea9c8c9028c9374761224a7f9d824e845a2aa2e"
},
{
"url": "https://git.kernel.org/stable/c/f58fca15f3bf8b982e799c31e4afa8923788aa40"
},
{
"url": "https://git.kernel.org/stable/c/29a41bf6422688f0c5a09b18222e1a64b2629fa4"
},
{
"url": "https://git.kernel.org/stable/c/5c03ea2ef4ebba75c69c90929d8590eb3d3797a9"
},
{
"url": "https://git.kernel.org/stable/c/48880f3cdf2b6d8dcd91219c5b5c8a7526411322"
},
{
"url": "https://git.kernel.org/stable/c/fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0"
}
],
"title": "ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40154",
"datePublished": "2025-11-12T10:23:28.470Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:04.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23108 (GCVE-0-2026-23108)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback usb_8dev_read_bulk_callback(), the URBs are processed and
resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0024d8ad1639e32d717445c69ca813fd19c2a91c Version: 0024d8ad1639e32d717445c69ca813fd19c2a91c Version: 0024d8ad1639e32d717445c69ca813fd19c2a91c Version: 0024d8ad1639e32d717445c69ca813fd19c2a91c Version: 0024d8ad1639e32d717445c69ca813fd19c2a91c Version: 0024d8ad1639e32d717445c69ca813fd19c2a91c Version: 0024d8ad1639e32d717445c69ca813fd19c2a91c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/usb_8dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "feb8243eaea7efd5279b19667d7189fd8654c87a",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "ef6e608e5ee71eca0cd3475c737e684cef24f240",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "59ff56992bba28051ad67cd8cc7b0edfe7280796",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "ea4a98e924164586066b39f29bfcc7cc9da108cd",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "07e9373739c6388af9d99797cdb2e79dbbcbe92b",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "f7a980b3b8f80fe367f679da376cf76e800f9480",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/usb_8dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn usb_8dev_open() -\u003e usb_8dev_start(), the URBs for USB-in transfers are\nallocated, added to the priv-\u003erx_submitted anchor and submitted. In the\ncomplete callback usb_8dev_read_bulk_callback(), the URBs are processed and\nresubmitted. In usb_8dev_close() -\u003e unlink_all_urbs() the URBs are freed by\ncalling usb_kill_anchored_urbs(\u0026priv-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nusb_8dev_read_bulk_callback() to the priv-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:49.458Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a"
},
{
"url": "https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240"
},
{
"url": "https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9"
},
{
"url": "https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796"
},
{
"url": "https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd"
},
{
"url": "https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b"
},
{
"url": "https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480"
}
],
"title": "can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23108",
"datePublished": "2026-02-04T16:08:28.650Z",
"dateReserved": "2026-01-13T15:37:45.967Z",
"dateUpdated": "2026-02-09T08:38:49.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22997 (GCVE-0-2026-22997)
Vulnerability from cvelistv5
Published
2026-01-25 14:36
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is
called only when the timer is enabled, we need to call
j1939_session_deactivate_activate_next() if we cancelled the timer.
Otherwise, refcount for j1939_session leaks, which will later appear as
| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.
problem.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a73e7d7e346dae1c22dc3e95b02ca464b12daf2c",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "adabf01c19561e42899da9de56a6a1da0e6b8a5b",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "b1d67607e97d489c0cfbbf55f48a76b00710b0e4",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "809a437e27a3bf3c1c6c8c157773635552116f2b",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "cb2a610867bc379988bae0bb4b8bbc59c0decf1a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "6121b7564c725b632ffe4764abe85aa239d37703",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "1809c82aa073a11b7d335ae932d81ce51a588a4a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts\n\nSince j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is\ncalled only when the timer is enabled, we need to call\nj1939_session_deactivate_activate_next() if we cancelled the timer.\nOtherwise, refcount for j1939_session leaks, which will later appear as\n\n| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.\n\nproblem."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:48.983Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a73e7d7e346dae1c22dc3e95b02ca464b12daf2c"
},
{
"url": "https://git.kernel.org/stable/c/adabf01c19561e42899da9de56a6a1da0e6b8a5b"
},
{
"url": "https://git.kernel.org/stable/c/b1d67607e97d489c0cfbbf55f48a76b00710b0e4"
},
{
"url": "https://git.kernel.org/stable/c/809a437e27a3bf3c1c6c8c157773635552116f2b"
},
{
"url": "https://git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1a"
},
{
"url": "https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703"
},
{
"url": "https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a"
}
],
"title": "net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22997",
"datePublished": "2026-01-25T14:36:12.053Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:48.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23207 (GCVE-0-2026-23207)
Vulnerability from cvelistv5
Published
2026-02-14 16:27
Modified
2026-04-02 11:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Protect curr_xfer check in IRQ handler
Now that all other accesses to curr_xfer are done under the lock,
protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the
spinlock. Without this protection, the following race can occur:
CPU0 (ISR thread) CPU1 (timeout path)
---------------- -------------------
if (!tqspi->curr_xfer)
// sees non-NULL
spin_lock()
tqspi->curr_xfer = NULL
spin_unlock()
handle_*_xfer()
spin_lock()
t = tqspi->curr_xfer // NULL!
... t->len ... // NULL dereference!
With this patch, all curr_xfer accesses are now properly synchronized.
Although all accesses to curr_xfer are done under the lock, in
tegra_qspi_isr_thread() it checks for NULL, releases the lock and
reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().
There is a potential for an update in between, which could cause a NULL
pointer dereference.
To handle this, add a NULL check inside the handlers after acquiring
the lock. This ensures that if the timeout path has already cleared
curr_xfer, the handler will safely return without dereferencing the
NULL pointer.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 551060efb156c50fe33799038ba8145418cfdeef Version: 01bbf25c767219b14c3235bfa85906b8d2cb8fbc Version: b4e002d8a7cee3b1d70efad0e222567f92a73000 Version: 88db8bb7ed1bb474618acdf05ebd4f0758d244e2 Version: 83309dd551cfd60a5a1a98d9cab19f435b44d46d Version: c934e40246da2c5726d14e94719c514e30840df8 Version: bb0c58be84f907285af45657c1d4847b960a12bf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84e926c1c272a35ddb9b86842d32fa833a60dfc7",
"status": "affected",
"version": "551060efb156c50fe33799038ba8145418cfdeef",
"versionType": "git"
},
{
"lessThan": "2ac3a105e51496147c0e44e49466eecfcc532d57",
"status": "affected",
"version": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"versionType": "git"
},
{
"lessThan": "edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e",
"status": "affected",
"version": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"versionType": "git"
},
{
"status": "affected",
"version": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"versionType": "git"
},
{
"status": "affected",
"version": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"versionType": "git"
},
{
"status": "affected",
"version": "c934e40246da2c5726d14e94719c514e30840df8",
"versionType": "git"
},
{
"status": "affected",
"version": "bb0c58be84f907285af45657c1d4847b960a12bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.80",
"status": "affected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThan": "6.18.10",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer check in IRQ handler\n\nNow that all other accesses to curr_xfer are done under the lock,\nprotect the curr_xfer NULL check in tegra_qspi_isr_thread() with the\nspinlock. Without this protection, the following race can occur:\n\n CPU0 (ISR thread) CPU1 (timeout path)\n ---------------- -------------------\n if (!tqspi-\u003ecurr_xfer)\n // sees non-NULL\n spin_lock()\n tqspi-\u003ecurr_xfer = NULL\n spin_unlock()\n handle_*_xfer()\n spin_lock()\n t = tqspi-\u003ecurr_xfer // NULL!\n ... t-\u003elen ... // NULL dereference!\n\nWith this patch, all curr_xfer accesses are now properly synchronized.\n\nAlthough all accesses to curr_xfer are done under the lock, in\ntegra_qspi_isr_thread() it checks for NULL, releases the lock and\nreacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().\nThere is a potential for an update in between, which could cause a NULL\npointer dereference.\n\nTo handle this, add a NULL check inside the handlers after acquiring\nthe lock. This ensures that if the timeout path has already cleared\ncurr_xfer, the handler will safely return without dereferencing the\nNULL pointer."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:30:51.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84e926c1c272a35ddb9b86842d32fa833a60dfc7"
},
{
"url": "https://git.kernel.org/stable/c/2ac3a105e51496147c0e44e49466eecfcc532d57"
},
{
"url": "https://git.kernel.org/stable/c/edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e"
}
],
"title": "spi: tegra210-quad: Protect curr_xfer check in IRQ handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23207",
"datePublished": "2026-02-14T16:27:29.762Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-04-02T11:30:51.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68744 (GCVE-0-2025-68744)
Vulnerability from cvelistv5
Published
2025-12-24 12:09
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Free special fields when update [lru_,]percpu_hash maps
As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing
calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the
memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the
map gets freed.
Fix this by calling 'bpf_obj_free_fields()' after
'copy_map_value[,_long]()' in 'pcpu_copy_value()'.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994d6303ed0b84cbc795bb5becf7ed6de40d3f3c",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "3bf1378747e251571e0de15e7e0a6bf2919044e7",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "96a5cb7072cabbac5c66ac9318242c3bdceebb68",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "4a03d69cece145e4fb527464be29c3806aa3221e",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "6af6e49a76c9af7d42eb923703e7648cb2bf401a",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free special fields when update [lru_,]percpu_hash maps\n\nAs [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing\ncalls to \u0027bpf_obj_free_fields()\u0027 in \u0027pcpu_copy_value()\u0027 could cause the\nmemory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the\nmap gets freed.\n\nFix this by calling \u0027bpf_obj_free_fields()\u0027 after\n\u0027copy_map_value[,_long]()\u0027 in \u0027pcpu_copy_value()\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:48.466Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994d6303ed0b84cbc795bb5becf7ed6de40d3f3c"
},
{
"url": "https://git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7"
},
{
"url": "https://git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68"
},
{
"url": "https://git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e"
},
{
"url": "https://git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a"
}
],
"title": "bpf: Free special fields when update [lru_,]percpu_hash maps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68744",
"datePublished": "2025-12-24T12:09:40.839Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-02-09T08:32:48.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68264 (GCVE-0-2025-68264)
Vulnerability from cvelistv5
Published
2025-12-16 14:45
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: refresh inline data size before write operations
The cached ei->i_inline_size can become stale between the initial size
check and when ext4_update_inline_data()/ext4_create_inline_data() use
it. Although ext4_get_max_inline_size() reads the correct value at the
time of the check, concurrent xattr operations can modify i_inline_size
before ext4_write_lock_xattr() is acquired.
This causes ext4_update_inline_data() and ext4_create_inline_data() to
work with stale capacity values, leading to a BUG_ON() crash in
ext4_write_inline_data():
kernel BUG at fs/ext4/inline.c:1331!
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
The race window:
1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)
2. Size check passes for 50-byte write
3. [Another thread adds xattr, i_inline_size changes to 40]
4. ext4_write_lock_xattr() acquires lock
5. ext4_update_inline_data() uses stale i_inline_size = 60
6. Attempts to write 50 bytes but only 40 bytes actually available
7. BUG_ON() triggers
Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock()
immediately after acquiring xattr_sem. This ensures ext4_update_inline_data()
and ext4_create_inline_data() work with current values that are protected
from concurrent modifications.
This is similar to commit a54c4613dac1 ("ext4: fix race writing to an
inline_data file while its xattrs are changing") which fixed i_inline_off
staleness. This patch addresses the related i_inline_size staleness issue.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 67cf5b09a46f72e048501b84996f2f77bc42e947 Version: 67cf5b09a46f72e048501b84996f2f77bc42e947 Version: 67cf5b09a46f72e048501b84996f2f77bc42e947 Version: 67cf5b09a46f72e048501b84996f2f77bc42e947 Version: 67cf5b09a46f72e048501b84996f2f77bc42e947 Version: 67cf5b09a46f72e048501b84996f2f77bc42e947 Version: 67cf5b09a46f72e048501b84996f2f77bc42e947 Version: 67cf5b09a46f72e048501b84996f2f77bc42e947 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54ab81ae5f218452e64470cd8a8139bb5880fe2b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "43bf001f0fe4e59bba47c897505222f959f4a1cc",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "89c2c41f0974e530b2d032c3695095aa0559adb1",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "1687a055a555347b002f406676a1aaae4668f242",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "ca43ea29b4c4d2764aec8a26cffcfb677a871e6e",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "58df743faf21ceb1880f930aa5dd428e2a5e415d",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "892e1cf17555735e9d021ab036c36bc7b58b0e3b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refresh inline data size before write operations\n\nThe cached ei-\u003ei_inline_size can become stale between the initial size\ncheck and when ext4_update_inline_data()/ext4_create_inline_data() use\nit. Although ext4_get_max_inline_size() reads the correct value at the\ntime of the check, concurrent xattr operations can modify i_inline_size\nbefore ext4_write_lock_xattr() is acquired.\n\nThis causes ext4_update_inline_data() and ext4_create_inline_data() to\nwork with stale capacity values, leading to a BUG_ON() crash in\next4_write_inline_data():\n\n kernel BUG at fs/ext4/inline.c:1331!\n BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nThe race window:\n1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)\n2. Size check passes for 50-byte write\n3. [Another thread adds xattr, i_inline_size changes to 40]\n4. ext4_write_lock_xattr() acquires lock\n5. ext4_update_inline_data() uses stale i_inline_size = 60\n6. Attempts to write 50 bytes but only 40 bytes actually available\n7. BUG_ON() triggers\n\nFix this by recalculating i_inline_size via ext4_find_inline_data_nolock()\nimmediately after acquiring xattr_sem. This ensures ext4_update_inline_data()\nand ext4_create_inline_data() work with current values that are protected\nfrom concurrent modifications.\n\nThis is similar to commit a54c4613dac1 (\"ext4: fix race writing to an\ninline_data file while its xattrs are changing\") which fixed i_inline_off\nstaleness. This patch addresses the related i_inline_size staleness issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:23.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54ab81ae5f218452e64470cd8a8139bb5880fe2b"
},
{
"url": "https://git.kernel.org/stable/c/43bf001f0fe4e59bba47c897505222f959f4a1cc"
},
{
"url": "https://git.kernel.org/stable/c/89c2c41f0974e530b2d032c3695095aa0559adb1"
},
{
"url": "https://git.kernel.org/stable/c/1687a055a555347b002f406676a1aaae4668f242"
},
{
"url": "https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b"
},
{
"url": "https://git.kernel.org/stable/c/ca43ea29b4c4d2764aec8a26cffcfb677a871e6e"
},
{
"url": "https://git.kernel.org/stable/c/58df743faf21ceb1880f930aa5dd428e2a5e415d"
},
{
"url": "https://git.kernel.org/stable/c/892e1cf17555735e9d021ab036c36bc7b58b0e3b"
}
],
"title": "ext4: refresh inline data size before write operations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68264",
"datePublished": "2025-12-16T14:45:06.268Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:23.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68335 (GCVE-0-2025-68335)
Vulnerability from cvelistv5
Published
2025-12-22 16:14
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.
Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.
[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
...
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 00aba6e7b5653a6607238ecdab7172318059d984 Version: 00aba6e7b5653a6607238ecdab7172318059d984 Version: 00aba6e7b5653a6607238ecdab7172318059d984 Version: 00aba6e7b5653a6607238ecdab7172318059d984 Version: 00aba6e7b5653a6607238ecdab7172318059d984 Version: 00aba6e7b5653a6607238ecdab7172318059d984 Version: 00aba6e7b5653a6607238ecdab7172318059d984 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "935ad4b3c325c24fff2c702da403283025ffc722",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "88d99ca5adbd01ff088f5fb2ddeba5755e085e52",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "5caa40e7c6a43e08e3574f990865127705c22861",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "d948c53dec36dafe182631457597c49c1f1df5ea",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "877adccfacb32687b90714a27cfb09f444fdfa16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "a51f025b5038abd3d22eed2ede4cd46793d89565",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()\n\nSyzbot identified an issue [1] in pcl818_ai_cancel(), which stems from\nthe fact that in case of early device detach via pcl818_detach(),\nsubdevice dev-\u003eread_subdev may not have initialized its pointer to\n\u0026struct comedi_async as intended. Thus, any such dereferencing of\n\u0026s-\u003easync-\u003ecmd will lead to general protection fault and kernel crash.\n\nMitigate this problem by removing a call to pcl818_ai_cancel() from\npcl818_detach() altogether. This way, if the subdevice setups its\nsupport for async commands, everything async-related will be\nhandled via subdevice\u0027s own -\u003ecancel() function in\ncomedi_device_detach_locked() even before pcl818_detach(). If no\nsupport for asynchronous commands is provided, there is no need\nto cancel anything either.\n\n[1] Syzbot crash:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nRIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762\n...\nCall Trace:\n \u003cTASK\u003e\n pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115\n comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207\n do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]\n comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:29.256Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16"
},
{
"url": "https://git.kernel.org/stable/c/935ad4b3c325c24fff2c702da403283025ffc722"
},
{
"url": "https://git.kernel.org/stable/c/88d99ca5adbd01ff088f5fb2ddeba5755e085e52"
},
{
"url": "https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861"
},
{
"url": "https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea"
},
{
"url": "https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16"
},
{
"url": "https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565"
}
],
"title": "comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68335",
"datePublished": "2025-12-22T16:14:12.614Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-09T08:31:29.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71194 (GCVE-0-2025-71194)
Vulnerability from cvelistv5
Published
2026-02-04 16:04
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix deadlock in wait_current_trans() due to ignored transaction type
When wait_current_trans() is called during start_transaction(), it
currently waits for a blocked transaction without considering whether
the given transaction type actually needs to wait for that particular
transaction state. The btrfs_blocked_trans_types[] array already defines
which transaction types should wait for which transaction states, but
this check was missing in wait_current_trans().
This can lead to a deadlock scenario involving two transactions and
pending ordered extents:
1. Transaction A is in TRANS_STATE_COMMIT_DOING state
2. A worker processing an ordered extent calls start_transaction()
with TRANS_JOIN
3. join_transaction() returns -EBUSY because Transaction A is in
TRANS_STATE_COMMIT_DOING
4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes
5. A new Transaction B is created (TRANS_STATE_RUNNING)
6. The ordered extent from step 2 is added to Transaction B's
pending ordered extents
7. Transaction B immediately starts commit by another task and
enters TRANS_STATE_COMMIT_START
8. The worker finally reaches wait_current_trans(), sees Transaction B
in TRANS_STATE_COMMIT_START (a blocked state), and waits
unconditionally
9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START
according to btrfs_blocked_trans_types[]
10. Transaction B is waiting for pending ordered extents to complete
11. Deadlock: Transaction B waits for ordered extent, ordered extent
waits for Transaction B
This can be illustrated by the following call stacks:
CPU0 CPU1
btrfs_finish_ordered_io()
start_transaction(TRANS_JOIN)
join_transaction()
# -EBUSY (Transaction A is
# TRANS_STATE_COMMIT_DOING)
# Transaction A completes
# Transaction B created
# ordered extent added to
# Transaction B's pending list
btrfs_commit_transaction()
# Transaction B enters
# TRANS_STATE_COMMIT_START
# waiting for pending ordered
# extents
wait_current_trans()
# waits for Transaction B
# (should not wait!)
Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered
extents:
__schedule+0x2e7/0x8a0
schedule+0x64/0xe0
btrfs_commit_transaction+0xbf7/0xda0 [btrfs]
btrfs_sync_file+0x342/0x4d0 [btrfs]
__x64_sys_fdatasync+0x4b/0x80
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Task kworker in wait_current_trans waiting for transaction commit:
Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]
__schedule+0x2e7/0x8a0
schedule+0x64/0xe0
wait_current_trans+0xb0/0x110 [btrfs]
start_transaction+0x346/0x5b0 [btrfs]
btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]
btrfs_work_helper+0xe8/0x350 [btrfs]
process_one_work+0x1d3/0x3c0
worker_thread+0x4d/0x3e0
kthread+0x12d/0x150
ret_from_fork+0x1f/0x30
Fix this by passing the transaction type to wait_current_trans() and
checking btrfs_blocked_trans_types[cur_trans->state] against the given
type before deciding to wait. This ensures that transaction types which
are allowed to join during certain blocked states will not unnecessarily
wait and cause deadlocks.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4a9d8bdee368de78ace8b36da4eb2186afea162d Version: 4a9d8bdee368de78ace8b36da4eb2186afea162d Version: 4a9d8bdee368de78ace8b36da4eb2186afea162d Version: 4a9d8bdee368de78ace8b36da4eb2186afea162d Version: 4a9d8bdee368de78ace8b36da4eb2186afea162d Version: 4a9d8bdee368de78ace8b36da4eb2186afea162d Version: 4a9d8bdee368de78ace8b36da4eb2186afea162d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e563f59395981fcd69d130761290929806e728d6",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "dc84036c173cff6a432d9ab926298850b1d2a659",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "d7b04b40ac8e6d814e35202a0e1568809b818295",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "99da896614d17e8a84aeb2b2d464ac046cc8633d",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "8b0bb145d3bc264360f525c9717653be3522e528",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "9ac63333d600732a56b35ee1fa46836da671eb50",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
},
{
"lessThan": "5037b342825df7094a4906d1e2a9674baab50cb2",
"status": "affected",
"version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock in wait_current_trans() due to ignored transaction type\n\nWhen wait_current_trans() is called during start_transaction(), it\ncurrently waits for a blocked transaction without considering whether\nthe given transaction type actually needs to wait for that particular\ntransaction state. The btrfs_blocked_trans_types[] array already defines\nwhich transaction types should wait for which transaction states, but\nthis check was missing in wait_current_trans().\n\nThis can lead to a deadlock scenario involving two transactions and\npending ordered extents:\n\n 1. Transaction A is in TRANS_STATE_COMMIT_DOING state\n\n 2. A worker processing an ordered extent calls start_transaction()\n with TRANS_JOIN\n\n 3. join_transaction() returns -EBUSY because Transaction A is in\n TRANS_STATE_COMMIT_DOING\n\n 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes\n\n 5. A new Transaction B is created (TRANS_STATE_RUNNING)\n\n 6. The ordered extent from step 2 is added to Transaction B\u0027s\n pending ordered extents\n\n 7. Transaction B immediately starts commit by another task and\n enters TRANS_STATE_COMMIT_START\n\n 8. The worker finally reaches wait_current_trans(), sees Transaction B\n in TRANS_STATE_COMMIT_START (a blocked state), and waits\n unconditionally\n\n 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START\n according to btrfs_blocked_trans_types[]\n\n 10. Transaction B is waiting for pending ordered extents to complete\n\n 11. Deadlock: Transaction B waits for ordered extent, ordered extent\n waits for Transaction B\n\nThis can be illustrated by the following call stacks:\n CPU0 CPU1\n btrfs_finish_ordered_io()\n start_transaction(TRANS_JOIN)\n join_transaction()\n # -EBUSY (Transaction A is\n # TRANS_STATE_COMMIT_DOING)\n # Transaction A completes\n # Transaction B created\n # ordered extent added to\n # Transaction B\u0027s pending list\n btrfs_commit_transaction()\n # Transaction B enters\n # TRANS_STATE_COMMIT_START\n # waiting for pending ordered\n # extents\n wait_current_trans()\n # waits for Transaction B\n # (should not wait!)\n\nTask bstore_kv_sync in btrfs_commit_transaction waiting for ordered\nextents:\n\n __schedule+0x2e7/0x8a0\n schedule+0x64/0xe0\n btrfs_commit_transaction+0xbf7/0xda0 [btrfs]\n btrfs_sync_file+0x342/0x4d0 [btrfs]\n __x64_sys_fdatasync+0x4b/0x80\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nTask kworker in wait_current_trans waiting for transaction commit:\n\n Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]\n __schedule+0x2e7/0x8a0\n schedule+0x64/0xe0\n wait_current_trans+0xb0/0x110 [btrfs]\n start_transaction+0x346/0x5b0 [btrfs]\n btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]\n btrfs_work_helper+0xe8/0x350 [btrfs]\n process_one_work+0x1d3/0x3c0\n worker_thread+0x4d/0x3e0\n kthread+0x12d/0x150\n ret_from_fork+0x1f/0x30\n\nFix this by passing the transaction type to wait_current_trans() and\nchecking btrfs_blocked_trans_types[cur_trans-\u003estate] against the given\ntype before deciding to wait. This ensures that transaction types which\nare allowed to join during certain blocked states will not unnecessarily\nwait and cause deadlocks."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:19.806Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6"
},
{
"url": "https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659"
},
{
"url": "https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295"
},
{
"url": "https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d"
},
{
"url": "https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528"
},
{
"url": "https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50"
},
{
"url": "https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2"
}
],
"title": "btrfs: fix deadlock in wait_current_trans() due to ignored transaction type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71194",
"datePublished": "2026-02-04T16:04:15.389Z",
"dateReserved": "2026-01-31T11:36:51.190Z",
"dateUpdated": "2026-02-09T08:36:19.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68753 (GCVE-0-2025-68753)
Vulnerability from cvelistv5
Published
2026-01-05 09:32
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.
Fix by adding a bounds check before put_user().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea2c921d9de6e32ca50cb817b9d57bb881be70de",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6d4f17782ce4facf3197e79707df411ee3d7b30a",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "df692cf2b601a54b34edfdb9e683d67483aa8ce1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "298e753880b6ea99ac30df34959a7a03b0878eed",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: add bounds check in put_user loop for DSP events\n\nIn the DSP event handling code, a put_user() loop copies event data.\nWhen the user buffer size is not aligned to 4 bytes, it could overwrite\nbeyond the buffer boundary.\n\nFix by adding a bounds check before put_user()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:57.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea2c921d9de6e32ca50cb817b9d57bb881be70de"
},
{
"url": "https://git.kernel.org/stable/c/6d4f17782ce4facf3197e79707df411ee3d7b30a"
},
{
"url": "https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f"
},
{
"url": "https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1"
},
{
"url": "https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187"
},
{
"url": "https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed"
}
],
"title": "ALSA: firewire-motu: add bounds check in put_user loop for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68753",
"datePublished": "2026-01-05T09:32:27.029Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:32:57.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40153 (GCVE-0-2025-40153)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: hugetlb: avoid soft lockup when mprotect to large memory area
When calling mprotect() to a large hugetlb memory area in our customer's
workload (~300GB hugetlb memory), soft lockup was observed:
watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mte_clear_page_tags+0x14/0x24
lr : mte_sync_tags+0x1c0/0x240
sp : ffff80003150bb80
x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
Call trace:
mte_clear_page_tags+0x14/0x24
set_huge_pte_at+0x25c/0x280
hugetlb_change_protection+0x220/0x430
change_protection+0x5c/0x8c
mprotect_fixup+0x10c/0x294
do_mprotect_pkey.constprop.0+0x2e0/0x3d4
__arm64_sys_mprotect+0x24/0x44
invoke_syscall+0x50/0x160
el0_svc_common+0x48/0x144
do_el0_svc+0x30/0xe0
el0_svc+0x30/0xf0
el0t_64_sync_handler+0xc4/0x148
el0t_64_sync+0x1a4/0x1a8
Soft lockup is not triggered with THP or base page because there is
cond_resched() called for each PMD size.
Although the soft lockup was triggered by MTE, it should be not MTE
specific. The other processing which takes long time in the loop may
trigger soft lockup too.
So add cond_resched() for hugetlb to avoid soft lockup.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 Version: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 Version: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 Version: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 Version: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 Version: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 Version: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 Version: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30498c44c2a0b20f6833ed7d8fc3df901507f760",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "5783485ab2be06be5312b26c8793526edc09123d",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "547e123e9d342a44c756446640ed847a8aeec611",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "964598e6f70a1be9fe675280bf16b4f96b0a6809",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "4975c975ed9457a77953a26aeef85fdba7cf5498",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "c6096f3947f68f96defedb8764b3b1ca4cf3469f",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "f52ce0ea90c83a28904c7cc203a70e6434adfecb",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: avoid soft lockup when mprotect to large memory area\n\nWhen calling mprotect() to a large hugetlb memory area in our customer\u0027s\nworkload (~300GB hugetlb memory), soft lockup was observed:\n\nwatchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]\n\nCPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7\nHardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc\u00a0: mte_clear_page_tags+0x14/0x24\nlr\u00a0: mte_sync_tags+0x1c0/0x240\nsp\u00a0: ffff80003150bb80\nx29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000\nx26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458\nx23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000\nx20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c\nx8\u00a0: 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5\u00a0: fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000\nx2\u00a0: 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000\n\nCall trace:\n\u00a0\u00a0mte_clear_page_tags+0x14/0x24\n\u00a0\u00a0set_huge_pte_at+0x25c/0x280\n\u00a0\u00a0hugetlb_change_protection+0x220/0x430\n\u00a0\u00a0change_protection+0x5c/0x8c\n\u00a0\u00a0mprotect_fixup+0x10c/0x294\n\u00a0\u00a0do_mprotect_pkey.constprop.0+0x2e0/0x3d4\n\u00a0\u00a0__arm64_sys_mprotect+0x24/0x44\n\u00a0\u00a0invoke_syscall+0x50/0x160\n\u00a0\u00a0el0_svc_common+0x48/0x144\n\u00a0\u00a0do_el0_svc+0x30/0xe0\n\u00a0\u00a0el0_svc+0x30/0xf0\n\u00a0\u00a0el0t_64_sync_handler+0xc4/0x148\n\u00a0\u00a0el0t_64_sync+0x1a4/0x1a8\n\nSoft lockup is not triggered with THP or base page because there is\ncond_resched() called for each PMD size.\n\nAlthough the soft lockup was triggered by MTE, it should be not MTE\nspecific. The other processing which takes long time in the loop may\ntrigger soft lockup too.\n\nSo add cond_resched() for hugetlb to avoid soft lockup."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:03.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30498c44c2a0b20f6833ed7d8fc3df901507f760"
},
{
"url": "https://git.kernel.org/stable/c/5783485ab2be06be5312b26c8793526edc09123d"
},
{
"url": "https://git.kernel.org/stable/c/547e123e9d342a44c756446640ed847a8aeec611"
},
{
"url": "https://git.kernel.org/stable/c/957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859"
},
{
"url": "https://git.kernel.org/stable/c/964598e6f70a1be9fe675280bf16b4f96b0a6809"
},
{
"url": "https://git.kernel.org/stable/c/4975c975ed9457a77953a26aeef85fdba7cf5498"
},
{
"url": "https://git.kernel.org/stable/c/c6096f3947f68f96defedb8764b3b1ca4cf3469f"
},
{
"url": "https://git.kernel.org/stable/c/f52ce0ea90c83a28904c7cc203a70e6434adfecb"
}
],
"title": "mm: hugetlb: avoid soft lockup when mprotect to large memory area",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40153",
"datePublished": "2025-11-12T10:23:28.201Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:03.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68733 (GCVE-0-2025-68733)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smack: fix bug: unprivileged task can create labels
If an unprivileged task is allowed to relabel itself
(/smack/relabel-self is not empty),
it can freely create new labels by writing their
names into own /proc/PID/attr/smack/current
This occurs because do_setattr() imports
the provided label in advance,
before checking "relabel-self" list.
This change ensures that the "relabel-self" list
is checked before importing the label.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 38416e53936ecf896948fdeffc36b76979117952 Version: 38416e53936ecf896948fdeffc36b76979117952 Version: 38416e53936ecf896948fdeffc36b76979117952 Version: 38416e53936ecf896948fdeffc36b76979117952 Version: 38416e53936ecf896948fdeffc36b76979117952 Version: 38416e53936ecf896948fdeffc36b76979117952 Version: 38416e53936ecf896948fdeffc36b76979117952 Version: 38416e53936ecf896948fdeffc36b76979117952 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/smack/smack_lsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c80173233014a360c13fa5cc79d36bfe6e53a8ed",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "6b1e45e13546c9ea0b1d99097993ac0aafae90b1",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "4a7a7621619a366712fb9cefcb6e69f956c247ce",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "f8fd5491100f920847a3338d5fba22db19c72773",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "ac9fce2efabad37c338aac86fbe100f77a080e59",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "64aa81250171b6bb6803e97ea7a5d73bfa061f6e",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "60e8d49989410a7ade60f5dadfcd979c117d05c0",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
},
{
"lessThan": "c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3",
"status": "affected",
"version": "38416e53936ecf896948fdeffc36b76979117952",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/smack/smack_lsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmack: fix bug: unprivileged task can create labels\n\nIf an unprivileged task is allowed to relabel itself\n(/smack/relabel-self is not empty),\nit can freely create new labels by writing their\nnames into own /proc/PID/attr/smack/current\n\nThis occurs because do_setattr() imports\nthe provided label in advance,\nbefore checking \"relabel-self\" list.\n\nThis change ensures that the \"relabel-self\" list\nis checked before importing the label."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:29.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c80173233014a360c13fa5cc79d36bfe6e53a8ed"
},
{
"url": "https://git.kernel.org/stable/c/6b1e45e13546c9ea0b1d99097993ac0aafae90b1"
},
{
"url": "https://git.kernel.org/stable/c/4a7a7621619a366712fb9cefcb6e69f956c247ce"
},
{
"url": "https://git.kernel.org/stable/c/f8fd5491100f920847a3338d5fba22db19c72773"
},
{
"url": "https://git.kernel.org/stable/c/ac9fce2efabad37c338aac86fbe100f77a080e59"
},
{
"url": "https://git.kernel.org/stable/c/64aa81250171b6bb6803e97ea7a5d73bfa061f6e"
},
{
"url": "https://git.kernel.org/stable/c/60e8d49989410a7ade60f5dadfcd979c117d05c0"
},
{
"url": "https://git.kernel.org/stable/c/c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3"
}
],
"title": "smack: fix bug: unprivileged task can create labels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68733",
"datePublished": "2025-12-24T10:33:15.347Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:29.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68816 (GCVE-0-2025-68816)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: fw_tracer, Validate format string parameters
Add validation for format string parameters in the firmware tracer to
prevent potential security vulnerabilities and crashes from malformed
format strings received from firmware.
The firmware tracer receives format strings from the device firmware and
uses them to format trace messages. Without proper validation, bad
firmware could provide format strings with invalid format specifiers
(e.g., %s, %p, %n) that could lead to crashes, or other undefined
behavior.
Add mlx5_tracer_validate_params() to validate that all format specifiers
in trace strings are limited to safe integer/hex formats (%x, %d, %i,
%u, %llx, %lx, etc.). Reject strings containing other format types that
could be used to access arbitrary memory or cause crashes.
Invalid format strings are added to the trace output for visibility with
"BAD_FORMAT: " prefix.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 70dd6fdb8987b14f7b6105f6be0617299e459398 Version: 70dd6fdb8987b14f7b6105f6be0617299e459398 Version: 70dd6fdb8987b14f7b6105f6be0617299e459398 Version: 70dd6fdb8987b14f7b6105f6be0617299e459398 Version: 70dd6fdb8987b14f7b6105f6be0617299e459398 Version: 70dd6fdb8987b14f7b6105f6be0617299e459398 Version: 70dd6fdb8987b14f7b6105f6be0617299e459398 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c",
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95624b731c490a4b849844269193a233d6d556a0",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "768d559f466cdd72849110a7ecd76a21d52dcfe3",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "8ac688c0e430dab19f6a9b70df94b1f635612c1a",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "45bd283b1d69e2c97cddcb9956f0e0261fc4efd7",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "8c35c2448086870509ede43947845be0833251f0",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "b35966042d20b14e2d83330049f77deec5229749",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c",
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fw_tracer, Validate format string parameters\n\nAdd validation for format string parameters in the firmware tracer to\nprevent potential security vulnerabilities and crashes from malformed\nformat strings received from firmware.\n\nThe firmware tracer receives format strings from the device firmware and\nuses them to format trace messages. Without proper validation, bad\nfirmware could provide format strings with invalid format specifiers\n(e.g., %s, %p, %n) that could lead to crashes, or other undefined\nbehavior.\n\nAdd mlx5_tracer_validate_params() to validate that all format specifiers\nin trace strings are limited to safe integer/hex formats (%x, %d, %i,\n%u, %llx, %lx, etc.). Reject strings containing other format types that\ncould be used to access arbitrary memory or cause crashes.\nInvalid format strings are added to the trace output for visibility with\n\"BAD_FORMAT: \" prefix."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:06.146Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0"
},
{
"url": "https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3"
},
{
"url": "https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d"
},
{
"url": "https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a"
},
{
"url": "https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7"
},
{
"url": "https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0"
},
{
"url": "https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749"
}
],
"title": "net/mlx5: fw_tracer, Validate format string parameters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68816",
"datePublished": "2026-01-13T15:29:20.464Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:06.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68803 (GCVE-0-2025-68803)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: NFSv4 file creation neglects setting ACL
An NFSv4 client that sets an ACL with a named principal during file
creation retrieves the ACL afterwards, and finds that it is only a
default ACL (based on the mode bits) and not the ACL that was
requested during file creation. This violates RFC 8881 section
6.4.1.3: "the ACL attribute is set as given".
The issue occurs in nfsd_create_setattr(), which calls
nfsd_attrs_valid() to determine whether to call nfsd_setattr().
However, nfsd_attrs_valid() checks only for iattr changes and
security labels, but not POSIX ACLs. When only an ACL is present,
the function returns false, nfsd_setattr() is skipped, and the
POSIX ACL is never applied to the inode.
Subsequently, when the client retrieves the ACL, the server finds
no POSIX ACL on the inode and returns one generated from the file's
mode bits rather than returning the originally-specified ACL.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c5409ce523af40d5c3019717bc5b4f72038d48be Version: d52acd23a327cada5fb597591267cfc09f08bb1d Version: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b Version: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b Version: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b Version: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b Version: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d",
"status": "affected",
"version": "c5409ce523af40d5c3019717bc5b4f72038d48be",
"versionType": "git"
},
{
"lessThan": "75f91534f9acdfef77f8fa094313b7806f801725",
"status": "affected",
"version": "d52acd23a327cada5fb597591267cfc09f08bb1d",
"versionType": "git"
},
{
"lessThan": "60dbdef2ebc2317266a385e4debdb1bb0e57afe1",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "381261f24f4e4b41521c0e5ef5cc0b9a786a9862",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "bf4e671c651534a307ab2fabba4926116beef8c3",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "214b396480061cbc8b16f2c518b2add7fbfa5192",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "913f7cf77bf14c13cfea70e89bcb6d0b22239562",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: NFSv4 file creation neglects setting ACL\n\nAn NFSv4 client that sets an ACL with a named principal during file\ncreation retrieves the ACL afterwards, and finds that it is only a\ndefault ACL (based on the mode bits) and not the ACL that was\nrequested during file creation. This violates RFC 8881 section\n6.4.1.3: \"the ACL attribute is set as given\".\n\nThe issue occurs in nfsd_create_setattr(), which calls\nnfsd_attrs_valid() to determine whether to call nfsd_setattr().\nHowever, nfsd_attrs_valid() checks only for iattr changes and\nsecurity labels, but not POSIX ACLs. When only an ACL is present,\nthe function returns false, nfsd_setattr() is skipped, and the\nPOSIX ACL is never applied to the inode.\n\nSubsequently, when the client retrieves the ACL, the server finds\nno POSIX ACL on the inode and returns one generated from the file\u0027s\nmode bits rather than returning the originally-specified ACL."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:52.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d"
},
{
"url": "https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725"
},
{
"url": "https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1"
},
{
"url": "https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862"
},
{
"url": "https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3"
},
{
"url": "https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192"
},
{
"url": "https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562"
}
],
"title": "NFSD: NFSv4 file creation neglects setting ACL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68803",
"datePublished": "2026-01-13T15:29:11.732Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:52.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40112 (GCVE-0-2025-40112)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. This commit fixes a couple of bad
calculations and a broken epilogue in the exception handlers. This will
prevent crashes and ensure correct return values of copy_from_user and
copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e Version: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e Version: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e Version: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e Version: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e Version: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e Version: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e Version: 7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e Version: bfc8be6593097cb074d3912ba2f27565cfbb7d6e Version: a15859f9d8396cce7c55ccdb7e75f70f14cbc349 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/NGmemcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05440320ea3e249d5f984918f2bf51210c1a7c03",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "7823fc4d8ab5e57f8db7806ff2530c03c166c4bb",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "37547d8e6eba87507279ee3dfddfd9dc46335454",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "a365ee556e45f780ee322b349a06efdad0c1458f",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "8cdeb5e482d3fdce7e825444b6ca3865e24c0228",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "a90ce516a73dbe087f9bf3dbf311301a58d125c6",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "088c5098ec6d6b0396edfbf3dad3e81de8469c1c",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"lessThan": "0b67c8fc10b13a9090340c5f8a37d308f4e1571c",
"status": "affected",
"version": "7ae3aaf53f1695877ccd5ebbc49ea65991e41f1e",
"versionType": "git"
},
{
"status": "affected",
"version": "bfc8be6593097cb074d3912ba2f27565cfbb7d6e",
"versionType": "git"
},
{
"status": "affected",
"version": "a15859f9d8396cce7c55ccdb7e75f70f14cbc349",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/NGmemcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for Niagara\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. This commit fixes a couple of bad\ncalculations and a broken epilogue in the exception handlers. This will\nprevent crashes and ensure correct return values of copy_from_user and\ncopy_to_user in the faulting case. The behaviour of memcpy stays unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:15.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05440320ea3e249d5f984918f2bf51210c1a7c03"
},
{
"url": "https://git.kernel.org/stable/c/7823fc4d8ab5e57f8db7806ff2530c03c166c4bb"
},
{
"url": "https://git.kernel.org/stable/c/37547d8e6eba87507279ee3dfddfd9dc46335454"
},
{
"url": "https://git.kernel.org/stable/c/a365ee556e45f780ee322b349a06efdad0c1458f"
},
{
"url": "https://git.kernel.org/stable/c/8cdeb5e482d3fdce7e825444b6ca3865e24c0228"
},
{
"url": "https://git.kernel.org/stable/c/a90ce516a73dbe087f9bf3dbf311301a58d125c6"
},
{
"url": "https://git.kernel.org/stable/c/088c5098ec6d6b0396edfbf3dad3e81de8469c1c"
},
{
"url": "https://git.kernel.org/stable/c/0b67c8fc10b13a9090340c5f8a37d308f4e1571c"
}
],
"title": "sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40112",
"datePublished": "2025-11-12T10:23:16.690Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:15.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40044 (GCVE-0-2025-40044)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: udf: fix OOB read in lengthAllocDescs handling
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
udf_release_file+0xc1/0x120 fs/udf/file.c:185
__fput+0x23f/0x880 fs/file_table.c:431
task_work_run+0x24f/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Validate the computed total length against epos->bh->b_size.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14496175b264d30c2045584ee31d062af2e3a660",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1d1847812a1a5375c10a2a779338df643f79c047",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "918649364fbca7d5df72522ca795479edcd25f91",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a70dcfa8d0a0cc530a6af59483dfca260b652c1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "459404f858213967ccfff336c41747d8dd186d38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3bd5e45c2ce30e239d596becd5db720f7eb83c99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: udf: fix OOB read in lengthAllocDescs handling\n\nWhen parsing Allocation Extent Descriptor, lengthAllocDescs comes from\non-disk data and must be validated against the block size. Crafted or\ncorrupted images may set lengthAllocDescs so that the total descriptor\nlength (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,\nleading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and\ntrigger a KASAN use-after-free read.\n\nBUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\nRead of size 1 at addr ffff888041e7d000 by task syz-executor317/5309\n\nCPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\n udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261\n udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179\n extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46\n udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106\n udf_release_file+0xc1/0x120 fs/udf/file.c:185\n __fput+0x23f/0x880 fs/file_table.c:431\n task_work_run+0x24f/0x310 kernel/task_work.c:239\n exit_task_work include/linux/task_work.h:43 [inline]\n do_exit+0xa2f/0x28e0 kernel/exit.c:939\n do_group_exit+0x207/0x2c0 kernel/exit.c:1088\n __do_sys_exit_group kernel/exit.c:1099 [inline]\n __se_sys_exit_group kernel/exit.c:1097 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nValidate the computed total length against epos-\u003ebh-\u003eb_size.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:49.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14496175b264d30c2045584ee31d062af2e3a660"
},
{
"url": "https://git.kernel.org/stable/c/d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818"
},
{
"url": "https://git.kernel.org/stable/c/1d1847812a1a5375c10a2a779338df643f79c047"
},
{
"url": "https://git.kernel.org/stable/c/918649364fbca7d5df72522ca795479edcd25f91"
},
{
"url": "https://git.kernel.org/stable/c/a70dcfa8d0a0cc530a6af59483dfca260b652c1b"
},
{
"url": "https://git.kernel.org/stable/c/b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24"
},
{
"url": "https://git.kernel.org/stable/c/459404f858213967ccfff336c41747d8dd186d38"
},
{
"url": "https://git.kernel.org/stable/c/3bd5e45c2ce30e239d596becd5db720f7eb83c99"
}
],
"title": "fs: udf: fix OOB read in lengthAllocDescs handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40044",
"datePublished": "2025-10-28T11:48:22.827Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-01T06:16:49.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23078 (GCVE-0-2026-23078)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: scarlett2: Fix buffer overflow in config retrieval
The scarlett2_usb_get_config() function has a logic error in the
endianness conversion code that can cause buffer overflows when
count > 1.
The code checks `if (size == 2)` where `size` is the total buffer size in
bytes, then loops `count` times treating each element as u16 (2 bytes).
This causes the loop to access `count * 2` bytes when the buffer only
has `size` bytes allocated.
Fix by checking the element size (config_item->size) instead of the
total buffer size. This ensures the endianness conversion matches the
actual element type.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ac34df733d2dfe3b553897a1e9e1a44414f09834 Version: ac34df733d2dfe3b553897a1e9e1a44414f09834 Version: ac34df733d2dfe3b553897a1e9e1a44414f09834 Version: ac34df733d2dfe3b553897a1e9e1a44414f09834 Version: ac34df733d2dfe3b553897a1e9e1a44414f09834 Version: ac34df733d2dfe3b553897a1e9e1a44414f09834 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_scarlett2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5e80d1f97ae55bcea1426f551e4419245b41b9c",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "51049f6e3f05d70660e2458ad3bb302a3721b751",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "91a756d22f0482eac5bedb113c8922f90b254449",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "27049f50be9f5ae3a62d272128ce0b381cb26a24",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "31a3eba5c265a763260976674a22851e83128f6d",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
},
{
"lessThan": "6f5c69f72e50d51be3a8c028ae7eda42c82902cb",
"status": "affected",
"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_scarlett2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Fix buffer overflow in config retrieval\n\nThe scarlett2_usb_get_config() function has a logic error in the\nendianness conversion code that can cause buffer overflows when\ncount \u003e 1.\n\nThe code checks `if (size == 2)` where `size` is the total buffer size in\nbytes, then loops `count` times treating each element as u16 (2 bytes).\nThis causes the loop to access `count * 2` bytes when the buffer only\nhas `size` bytes allocated.\n\nFix by checking the element size (config_item-\u003esize) instead of the\ntotal buffer size. This ensures the endianness conversion matches the\nactual element type."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:17.910Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5e80d1f97ae55bcea1426f551e4419245b41b9c"
},
{
"url": "https://git.kernel.org/stable/c/51049f6e3f05d70660e2458ad3bb302a3721b751"
},
{
"url": "https://git.kernel.org/stable/c/91a756d22f0482eac5bedb113c8922f90b254449"
},
{
"url": "https://git.kernel.org/stable/c/27049f50be9f5ae3a62d272128ce0b381cb26a24"
},
{
"url": "https://git.kernel.org/stable/c/31a3eba5c265a763260976674a22851e83128f6d"
},
{
"url": "https://git.kernel.org/stable/c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb"
}
],
"title": "ALSA: scarlett2: Fix buffer overflow in config retrieval",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23078",
"datePublished": "2026-02-04T16:08:03.283Z",
"dateReserved": "2026-01-13T15:37:45.959Z",
"dateUpdated": "2026-02-09T08:38:17.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21780 (GCVE-0-2025-21780)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
It malicious user provides a small pptable through sysfs and then
a bigger pptable, it may cause buffer overflow attack in function
smu_sys_set_pp_table().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:30:25.628048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:40.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:26.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3484ea33157bc7334f57e64826ec5a4bf992151a",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "e43a8b9c4d700ffec819c5043a48769b3e7d9cab",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "2498d2db1d35e88a2060ea191ae75dce853dd084",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "231075c5a8ea54f34b7c4794687baa980814e6de",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "1abb2648698bf10783d2236a6b4a7ca5e8021699",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()\n\nIt malicious user provides a small pptable through sysfs and then\na bigger pptable, it may cause buffer overflow attack in function\nsmu_sys_set_pp_table()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:06.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3484ea33157bc7334f57e64826ec5a4bf992151a"
},
{
"url": "https://git.kernel.org/stable/c/e43a8b9c4d700ffec819c5043a48769b3e7d9cab"
},
{
"url": "https://git.kernel.org/stable/c/2498d2db1d35e88a2060ea191ae75dce853dd084"
},
{
"url": "https://git.kernel.org/stable/c/231075c5a8ea54f34b7c4794687baa980814e6de"
},
{
"url": "https://git.kernel.org/stable/c/1abb2648698bf10783d2236a6b4a7ca5e8021699"
}
],
"title": "drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21780",
"datePublished": "2025-02-27T02:18:23.543Z",
"dateReserved": "2024-12-29T08:45:45.764Z",
"dateUpdated": "2025-11-03T20:59:26.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23093 (GCVE-0-2026-23093)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: smbd: fix dma_unmap_sg() nents
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "6ececffd3e9fe93a87738625dc0671165d27bf96",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "4d1e9a4a450aae47277763562122cc80ed703ab2",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "70ba85e439221a5d6dda34a3004db6640f0525e6",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "d1943bc9dc9508f5933788a76f8a35d10e43a646",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "98e3e2b561bc88f4dd218d1c05890672874692f6",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbd: fix dma_unmap_sg() nents\n\nThe dma_unmap_sg() functions should be called with the same nents as the\ndma_map_sg(), not the value the map function returned."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:33.448Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec"
},
{
"url": "https://git.kernel.org/stable/c/6ececffd3e9fe93a87738625dc0671165d27bf96"
},
{
"url": "https://git.kernel.org/stable/c/4d1e9a4a450aae47277763562122cc80ed703ab2"
},
{
"url": "https://git.kernel.org/stable/c/70ba85e439221a5d6dda34a3004db6640f0525e6"
},
{
"url": "https://git.kernel.org/stable/c/d1943bc9dc9508f5933788a76f8a35d10e43a646"
},
{
"url": "https://git.kernel.org/stable/c/98e3e2b561bc88f4dd218d1c05890672874692f6"
}
],
"title": "ksmbd: smbd: fix dma_unmap_sg() nents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23093",
"datePublished": "2026-02-04T16:08:16.159Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-09T08:38:33.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37849 (GCVE-0-2025-37849)
Vulnerability from cvelistv5
Published
2025-05-09 06:41
Modified
2025-12-20 08:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Tear down vGIC on failed vCPU creation
If kvm_arch_vcpu_create() fails to share the vCPU page with the
hypervisor, we propagate the error back to the ioctl but leave the
vGIC vCPU data initialised. Note only does this leak the corresponding
memory when the vCPU is destroyed but it can also lead to use-after-free
if the redistributor device handling tries to walk into the vCPU.
Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
vGIC vCPU structures are destroyed on error.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6211753fdfd05af9e08f54c8d0ba3ee516034878 Version: 6211753fdfd05af9e08f54c8d0ba3ee516034878 Version: 6211753fdfd05af9e08f54c8d0ba3ee516034878 Version: 6211753fdfd05af9e08f54c8d0ba3ee516034878 Version: 6211753fdfd05af9e08f54c8d0ba3ee516034878 Version: 6211753fdfd05af9e08f54c8d0ba3ee516034878 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:56:22.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07476e0d932afc53c05468076393ac35d0b4999e",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "5085e02362b9948f82fceca979b8f8e12acb1cc5",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "c322789613407647a05ff5c451a7bf545fb34e73",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "f1e9087abaeedec9bf2894a282ee4f0d8383f299",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
},
{
"lessThan": "250f25367b58d8c65a1b060a2dda037eea09a672",
"status": "affected",
"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Tear down vGIC on failed vCPU creation\n\nIf kvm_arch_vcpu_create() fails to share the vCPU page with the\nhypervisor, we propagate the error back to the ioctl but leave the\nvGIC vCPU data initialised. Note only does this leak the corresponding\nmemory when the vCPU is destroyed but it can also lead to use-after-free\nif the redistributor device handling tries to walk into the vCPU.\n\nAdd the missing cleanup to kvm_arch_vcpu_create(), ensuring that the\nvGIC vCPU structures are destroyed on error."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:43.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07476e0d932afc53c05468076393ac35d0b4999e"
},
{
"url": "https://git.kernel.org/stable/c/5085e02362b9948f82fceca979b8f8e12acb1cc5"
},
{
"url": "https://git.kernel.org/stable/c/c322789613407647a05ff5c451a7bf545fb34e73"
},
{
"url": "https://git.kernel.org/stable/c/2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52"
},
{
"url": "https://git.kernel.org/stable/c/f1e9087abaeedec9bf2894a282ee4f0d8383f299"
},
{
"url": "https://git.kernel.org/stable/c/250f25367b58d8c65a1b060a2dda037eea09a672"
}
],
"title": "KVM: arm64: Tear down vGIC on failed vCPU creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37849",
"datePublished": "2025-05-09T06:41:56.874Z",
"dateReserved": "2025-04-16T04:51:23.954Z",
"dateUpdated": "2025-12-20T08:51:43.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71117 (GCVE-0-2025-71117)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Remove queue freezing from several sysfs store callbacks
Freezing the request queue from inside sysfs store callbacks may cause a
deadlock in combination with the dm-multipath driver and the
queue_if_no_path option. Additionally, freezing the request queue slows
down system boot on systems where sysfs attributes are set synchronously.
Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue()
calls from the store callbacks that do not strictly need these callbacks.
Add the __data_racy annotation to request_queue.rq_timeout to suppress
KCSAN data race reports about the rq_timeout reads.
This patch may cause a small delay in applying the new settings.
For all the attributes affected by this patch, I/O will complete
correctly whether the old or the new value of the attribute is used.
This patch affects the following sysfs attributes:
* io_poll_delay
* io_timeout
* nomerges
* read_ahead_kb
* rq_affinity
Here is an example of a deadlock triggered by running test srp/002
if this patch is not applied:
task:multipathd
Call Trace:
<TASK>
__schedule+0x8c1/0x1bf0
schedule+0xdd/0x270
schedule_preempt_disabled+0x1c/0x30
__mutex_lock+0xb89/0x1650
mutex_lock_nested+0x1f/0x30
dm_table_set_restrictions+0x823/0xdf0
__bind+0x166/0x590
dm_swap_table+0x2a7/0x490
do_resume+0x1b1/0x610
dev_suspend+0x55/0x1a0
ctl_ioctl+0x3a5/0x7e0
dm_ctl_ioctl+0x12/0x20
__x64_sys_ioctl+0x127/0x1a0
x64_sys_call+0xe2b/0x17d0
do_syscall_64+0x96/0x3a0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
task:(udev-worker)
Call Trace:
<TASK>
__schedule+0x8c1/0x1bf0
schedule+0xdd/0x270
blk_mq_freeze_queue_wait+0xf2/0x140
blk_mq_freeze_queue_nomemsave+0x23/0x30
queue_ra_store+0x14e/0x290
queue_attr_store+0x23e/0x2c0
sysfs_kf_write+0xde/0x140
kernfs_fop_write_iter+0x3b2/0x630
vfs_write+0x4fd/0x1390
ksys_write+0xfd/0x230
__x64_sys_write+0x76/0xc0
x64_sys_call+0x276/0x17d0
do_syscall_64+0x96/0x3a0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-sysfs.c",
"include/linux/blkdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3997b3147c7b68b0308378fa95a766015f8ceb1c",
"status": "affected",
"version": "af2814149883e2c1851866ea2afcd8eadc040f79",
"versionType": "git"
},
{
"lessThan": "935a20d1bebf6236076785fac3ff81e3931834e9",
"status": "affected",
"version": "af2814149883e2c1851866ea2afcd8eadc040f79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-sysfs.c",
"include/linux/blkdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Remove queue freezing from several sysfs store callbacks\n\nFreezing the request queue from inside sysfs store callbacks may cause a\ndeadlock in combination with the dm-multipath driver and the\nqueue_if_no_path option. Additionally, freezing the request queue slows\ndown system boot on systems where sysfs attributes are set synchronously.\n\nFix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue()\ncalls from the store callbacks that do not strictly need these callbacks.\nAdd the __data_racy annotation to request_queue.rq_timeout to suppress\nKCSAN data race reports about the rq_timeout reads.\n\nThis patch may cause a small delay in applying the new settings.\n\nFor all the attributes affected by this patch, I/O will complete\ncorrectly whether the old or the new value of the attribute is used.\n\nThis patch affects the following sysfs attributes:\n* io_poll_delay\n* io_timeout\n* nomerges\n* read_ahead_kb\n* rq_affinity\n\nHere is an example of a deadlock triggered by running test srp/002\nif this patch is not applied:\n\ntask:multipathd\nCall Trace:\n \u003cTASK\u003e\n __schedule+0x8c1/0x1bf0\n schedule+0xdd/0x270\n schedule_preempt_disabled+0x1c/0x30\n __mutex_lock+0xb89/0x1650\n mutex_lock_nested+0x1f/0x30\n dm_table_set_restrictions+0x823/0xdf0\n __bind+0x166/0x590\n dm_swap_table+0x2a7/0x490\n do_resume+0x1b1/0x610\n dev_suspend+0x55/0x1a0\n ctl_ioctl+0x3a5/0x7e0\n dm_ctl_ioctl+0x12/0x20\n __x64_sys_ioctl+0x127/0x1a0\n x64_sys_call+0xe2b/0x17d0\n do_syscall_64+0x96/0x3a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e\ntask:(udev-worker)\nCall Trace:\n \u003cTASK\u003e\n __schedule+0x8c1/0x1bf0\n schedule+0xdd/0x270\n blk_mq_freeze_queue_wait+0xf2/0x140\n blk_mq_freeze_queue_nomemsave+0x23/0x30\n queue_ra_store+0x14e/0x290\n queue_attr_store+0x23e/0x2c0\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3b2/0x630\n vfs_write+0x4fd/0x1390\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x276/0x17d0\n do_syscall_64+0x96/0x3a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:11.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3997b3147c7b68b0308378fa95a766015f8ceb1c"
},
{
"url": "https://git.kernel.org/stable/c/935a20d1bebf6236076785fac3ff81e3931834e9"
}
],
"title": "block: Remove queue freezing from several sysfs store callbacks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71117",
"datePublished": "2026-01-14T15:06:05.161Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:11.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39994 (GCVE-0-2025-39994)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: tuner: xc5000: Fix use-after-free in xc5000_release
The original code uses cancel_delayed_work() in xc5000_release(), which
does not guarantee that the delayed work item timer_sleep has fully
completed if it was already running. This leads to use-after-free scenarios
where xc5000_release() may free the xc5000_priv while timer_sleep is still
active and attempts to dereference the xc5000_priv.
A typical race condition is illustrated below:
CPU 0 (release thread) | CPU 1 (delayed work callback)
xc5000_release() | xc5000_do_timer_sleep()
cancel_delayed_work() |
hybrid_tuner_release_state(priv) |
kfree(priv) |
| priv = container_of() // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the timer_sleep is properly canceled before the xc5000_priv memory
is deallocated.
A deadlock concern was considered: xc5000_release() is called in a process
context and is not holding any locks that the timer_sleep work item might
also need. Therefore, the use of the _sync() variant is safe here.
This bug was initially identified through static analysis.
[hverkuil: fix typo in Subject: tunner -> tuner]
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 Version: f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/tuners/xc5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "e2f5eaafc0306a76fb1cb760aae804b065b8a341",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "3f876cd47ed8bca1e28d68435845949f51f90703",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "df0303b4839520b84d9367c2fad65b13650a4d42",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "71ed8b81a4906cb785966910f39cf7f5ad60a69e",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "effb1c19583bca7022fa641a70766de45c6d41ac",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "9a00de20ed8ba90888479749b87bc1532cded4ce",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "4266f012806fc18e46da4a04d130df59a4946f93",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
},
{
"lessThan": "40b7a19f321e65789612ebaca966472055dab48c",
"status": "affected",
"version": "f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/tuners/xc5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tuner: xc5000: Fix use-after-free in xc5000_release\n\nThe original code uses cancel_delayed_work() in xc5000_release(), which\ndoes not guarantee that the delayed work item timer_sleep has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere xc5000_release() may free the xc5000_priv while timer_sleep is still\nactive and attempts to dereference the xc5000_priv.\n\nA typical race condition is illustrated below:\n\nCPU 0 (release thread) | CPU 1 (delayed work callback)\nxc5000_release() | xc5000_do_timer_sleep()\n cancel_delayed_work() |\n hybrid_tuner_release_state(priv) |\n kfree(priv) |\n | priv = container_of() // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the timer_sleep is properly canceled before the xc5000_priv memory\nis deallocated.\n\nA deadlock concern was considered: xc5000_release() is called in a process\ncontext and is not holding any locks that the timer_sleep work item might\nalso need. Therefore, the use of the _sync() variant is safe here.\n\nThis bug was initially identified through static analysis.\n\n[hverkuil: fix typo in Subject: tunner -\u003e tuner]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:04.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8"
},
{
"url": "https://git.kernel.org/stable/c/e2f5eaafc0306a76fb1cb760aae804b065b8a341"
},
{
"url": "https://git.kernel.org/stable/c/3f876cd47ed8bca1e28d68435845949f51f90703"
},
{
"url": "https://git.kernel.org/stable/c/df0303b4839520b84d9367c2fad65b13650a4d42"
},
{
"url": "https://git.kernel.org/stable/c/71ed8b81a4906cb785966910f39cf7f5ad60a69e"
},
{
"url": "https://git.kernel.org/stable/c/effb1c19583bca7022fa641a70766de45c6d41ac"
},
{
"url": "https://git.kernel.org/stable/c/9a00de20ed8ba90888479749b87bc1532cded4ce"
},
{
"url": "https://git.kernel.org/stable/c/4266f012806fc18e46da4a04d130df59a4946f93"
},
{
"url": "https://git.kernel.org/stable/c/40b7a19f321e65789612ebaca966472055dab48c"
}
],
"title": "media: tuner: xc5000: Fix use-after-free in xc5000_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39994",
"datePublished": "2025-10-15T07:58:19.503Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-12-01T06:16:04.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40271 (GCVE-0-2025-40271)
Vulnerability from cvelistv5
Published
2025-12-06 21:50
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/proc: fix uaf in proc_readdir_de()
Pde is erased from subdir rbtree through rb_erase(), but not set the node
to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()
set the erased node to EMPTY, then pde_subdir_next() will return NULL to
avoid uaf access.
We found an uaf issue while using stress-ng testing, need to run testcase
getdent and tun in the same time. The steps of the issue is as follows:
1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
pde is tun3;
2) in the [time windows] unregister netdevice tun3 and tun2, and erase
them from rbtree. erase tun3 first, and then erase tun2. the
pde(tun2) will be released to slab;
3) continue to getdent process, then pde_subdir_next() will return
pde(tun2) which is released, it will case uaf access.
CPU 0 | CPU 1
-------------------------------------------------------------------------
traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2
sys_getdents64() |
iterate_dir() |
proc_readdir() |
proc_readdir_de() | snmp6_unregister_dev()
pde_get(de); | proc_remove()
read_unlock(&proc_subdir_lock); | remove_proc_subtree()
| write_lock(&proc_subdir_lock);
[time window] | rb_erase(&root->subdir_node, &parent->subdir);
| write_unlock(&proc_subdir_lock);
read_lock(&proc_subdir_lock); |
next = pde_subdir_next(de); |
pde_put(de); |
de = next; //UAF |
rbtree of dev_snmp6
|
pde(tun3)
/ \
NULL pde(tun2)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 710585d4922fd315f2cada8fbe550ae8ed23e994 Version: 710585d4922fd315f2cada8fbe550ae8ed23e994 Version: 710585d4922fd315f2cada8fbe550ae8ed23e994 Version: 710585d4922fd315f2cada8fbe550ae8ed23e994 Version: 710585d4922fd315f2cada8fbe550ae8ed23e994 Version: 710585d4922fd315f2cada8fbe550ae8ed23e994 Version: 710585d4922fd315f2cada8fbe550ae8ed23e994 Version: 710585d4922fd315f2cada8fbe550ae8ed23e994 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d1596d68a6f11d28f677eedf6cf5b17dbfeb491",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "c81d0385500446efe48c305bbb83d47f2ae23a50",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "4cba73c4c89219beef7685a47374bf88b1022369",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "6f2482745e510ae1dacc9b090194b9c5f918d774",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "67272c11f379d9aa5e0f6b16286b9d89b3f76046",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "623bb26127fb581a741e880e1e1a47d79aecb6f8",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "03de7ff197a3d0e17d0d5c58fdac99a63cba8110",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "895b4c0c79b092d732544011c3cecaf7322c36a1",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time. The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n them from rbtree. erase tun3 first, and then erase tun2. the\n pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n pde(tun2) which is released, it will case uaf access.\n\nCPU 0 | CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun-\u003edev) //tun3 tun2\nsys_getdents64() |\n iterate_dir() |\n proc_readdir() |\n proc_readdir_de() | snmp6_unregister_dev()\n pde_get(de); | proc_remove()\n read_unlock(\u0026proc_subdir_lock); | remove_proc_subtree()\n | write_lock(\u0026proc_subdir_lock);\n [time window] | rb_erase(\u0026root-\u003esubdir_node, \u0026parent-\u003esubdir);\n | write_unlock(\u0026proc_subdir_lock);\n read_lock(\u0026proc_subdir_lock); |\n next = pde_subdir_next(de); |\n pde_put(de); |\n de = next; //UAF |\n\nrbtree of dev_snmp6\n |\n pde(tun3)\n / \\\n NULL pde(tun2)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:21.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491"
},
{
"url": "https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50"
},
{
"url": "https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369"
},
{
"url": "https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774"
},
{
"url": "https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046"
},
{
"url": "https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8"
},
{
"url": "https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110"
},
{
"url": "https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1"
}
],
"title": "fs/proc: fix uaf in proc_readdir_de()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40271",
"datePublished": "2025-12-06T21:50:53.266Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2026-01-02T15:33:21.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71097 (GCVE-0-2025-71097)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix reference count leak when using error routes with nexthop objects
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in
turn holds a reference on the nexthop device, resulting in a reference
count leak:
# ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_trie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5de7ad7e18356e39e8fbf7edd185a5faaf4f385a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "33ff5c207c873215e54e6176624ed57423cb7dea",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "30386e090c49e803c0616a7147e43409c32a2b0e",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "5979338c83012110ccd45cae6517591770bfe536",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "ee4183501ea556dca31f5ffd8690aa9fd25b609f",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "e3fc381320d04e4a74311e576a86cac49a16fc43",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "ac782f4e3bfcde145b8a7f8af31d9422d94d172a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_trie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix reference count leak when using error routes with nexthop objects\n\nWhen a nexthop object is deleted, it is marked as dead and then\nfib_table_flush() is called to flush all the routes that are using the\ndead nexthop.\n\nThe current logic in fib_table_flush() is to only flush error routes\n(e.g., blackhole) when it is called as part of network namespace\ndismantle (i.e., with flush_all=true). Therefore, error routes are not\nflushed when their nexthop object is deleted:\n\n # ip link add name dummy1 up type dummy\n # ip nexthop add id 1 dev dummy1\n # ip route add 198.51.100.1/32 nhid 1\n # ip route add blackhole 198.51.100.2/32 nhid 1\n # ip nexthop del id 1\n # ip route show\n blackhole 198.51.100.2 nhid 1 dev dummy1\n\nAs such, they keep holding a reference on the nexthop object which in\nturn holds a reference on the nexthop device, resulting in a reference\ncount leak:\n\n # ip link del dev dummy1\n [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2\n\nFix by flushing error routes when their nexthop is marked as dead.\n\nIPv6 does not suffer from this problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:49.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a"
},
{
"url": "https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea"
},
{
"url": "https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e"
},
{
"url": "https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536"
},
{
"url": "https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f"
},
{
"url": "https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43"
},
{
"url": "https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a"
}
],
"title": "ipv4: Fix reference count leak when using error routes with nexthop objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71097",
"datePublished": "2026-01-13T15:34:56.814Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:49.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68295 (GCVE-0-2025-68295)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix memory leak in cifs_construct_tcon()
When having a multiuser mount with domain= specified and using
cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname,
so it needs to be freed before leaving cifs_construct_tcon().
This fixes the following memory leak reported by kmemleak:
mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,...
su - testuser
cifscreds add -d ZELDA -u testuser
...
ls /mnt/1
...
umount /mnt
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff8881203c3f08 (size 8):
comm "ls", pid 5060, jiffies 4307222943
hex dump (first 8 bytes):
5a 45 4c 44 41 00 cc cc ZELDA...
backtrace (crc d109a8cf):
__kmalloc_node_track_caller_noprof+0x572/0x710
kstrdup+0x3a/0x70
cifs_sb_tlink+0x1209/0x1770 [cifs]
cifs_get_fattr+0xe1/0xf50 [cifs]
cifs_get_inode_info+0xb5/0x240 [cifs]
cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]
cifs_getattr+0x28e/0x450 [cifs]
vfs_getattr_nosec+0x126/0x180
vfs_statx+0xf6/0x220
do_statx+0xab/0x110
__x64_sys_statx+0xd5/0x130
do_syscall_64+0xbb/0x380
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f2aee329a68f5a907bcff11a109dfe17c0b41aeb Version: f2aee329a68f5a907bcff11a109dfe17c0b41aeb Version: f2aee329a68f5a907bcff11a109dfe17c0b41aeb Version: f2aee329a68f5a907bcff11a109dfe17c0b41aeb Version: f2aee329a68f5a907bcff11a109dfe17c0b41aeb Version: f2aee329a68f5a907bcff11a109dfe17c0b41aeb Version: f2aee329a68f5a907bcff11a109dfe17c0b41aeb Version: 1456d3cea31114137fabf1110d20a2e2c6d6060f Version: 16764d7486d02b1699ae16e91d7a577602398b17 Version: 904847402bd74a28164bd4d8da082d1eace7c190 Version: 325fa2a6729b74b2806b31725940cb54658515e5 Version: 8db988a982908b7bff76e095000adabf9c29698b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff8f9bd1c46ee02d5558293915d42e82646d5ee9",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "d146e96fef876492979658dce644305de35878d4",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "3dd546e867e94c2f954bca45a961b6104ba708b6",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "f62ffdfb431bdfa4b6d24233b7fd830eca0b801e",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "f15288c137d960836277d0e3ecc62de68e52f00f",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "a67e91d5f446e455dd9201cdd6e865f7078d251d",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"lessThan": "3184b6a5a24ec9ee74087b2a550476f386df7dc2",
"status": "affected",
"version": "f2aee329a68f5a907bcff11a109dfe17c0b41aeb",
"versionType": "git"
},
{
"status": "affected",
"version": "1456d3cea31114137fabf1110d20a2e2c6d6060f",
"versionType": "git"
},
{
"status": "affected",
"version": "16764d7486d02b1699ae16e91d7a577602398b17",
"versionType": "git"
},
{
"status": "affected",
"version": "904847402bd74a28164bd4d8da082d1eace7c190",
"versionType": "git"
},
{
"status": "affected",
"version": "325fa2a6729b74b2806b31725940cb54658515e5",
"versionType": "git"
},
{
"status": "affected",
"version": "8db988a982908b7bff76e095000adabf9c29698b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix memory leak in cifs_construct_tcon()\n\nWhen having a multiuser mount with domain= specified and using\ncifscreds, cifs_set_cifscreds() will end up setting @ctx-\u003edomainname,\nso it needs to be freed before leaving cifs_construct_tcon().\n\nThis fixes the following memory leak reported by kmemleak:\n\n mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,...\n su - testuser\n cifscreds add -d ZELDA -u testuser\n ...\n ls /mnt/1\n ...\n umount /mnt\n echo scan \u003e /sys/kernel/debug/kmemleak\n cat /sys/kernel/debug/kmemleak\n unreferenced object 0xffff8881203c3f08 (size 8):\n comm \"ls\", pid 5060, jiffies 4307222943\n hex dump (first 8 bytes):\n 5a 45 4c 44 41 00 cc cc ZELDA...\n backtrace (crc d109a8cf):\n __kmalloc_node_track_caller_noprof+0x572/0x710\n kstrdup+0x3a/0x70\n cifs_sb_tlink+0x1209/0x1770 [cifs]\n cifs_get_fattr+0xe1/0xf50 [cifs]\n cifs_get_inode_info+0xb5/0x240 [cifs]\n cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]\n cifs_getattr+0x28e/0x450 [cifs]\n vfs_getattr_nosec+0x126/0x180\n vfs_statx+0xf6/0x220\n do_statx+0xab/0x110\n __x64_sys_statx+0xd5/0x130\n do_syscall_64+0xbb/0x380\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:14.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff8f9bd1c46ee02d5558293915d42e82646d5ee9"
},
{
"url": "https://git.kernel.org/stable/c/d146e96fef876492979658dce644305de35878d4"
},
{
"url": "https://git.kernel.org/stable/c/3dd546e867e94c2f954bca45a961b6104ba708b6"
},
{
"url": "https://git.kernel.org/stable/c/f62ffdfb431bdfa4b6d24233b7fd830eca0b801e"
},
{
"url": "https://git.kernel.org/stable/c/f15288c137d960836277d0e3ecc62de68e52f00f"
},
{
"url": "https://git.kernel.org/stable/c/a67e91d5f446e455dd9201cdd6e865f7078d251d"
},
{
"url": "https://git.kernel.org/stable/c/3184b6a5a24ec9ee74087b2a550476f386df7dc2"
}
],
"title": "smb: client: fix memory leak in cifs_construct_tcon()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68295",
"datePublished": "2025-12-16T15:06:14.977Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:14.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40349 (GCVE-0-2025-40349)
Vulnerability from cvelistv5
Published
2025-12-16 13:30
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: validate record offset in hfsplus_bmap_alloc
hfsplus_bmap_alloc can trigger a crash if a
record offset or length is larger than node_size
[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
[ 15.265949]
[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 15.266167] Call Trace:
[ 15.266168] <TASK>
[ 15.266169] dump_stack_lvl+0x53/0x70
[ 15.266173] print_report+0xd0/0x660
[ 15.266181] kasan_report+0xce/0x100
[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
[ 15.266217] hfsplus_brec_insert+0x870/0xb00
[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
[ 15.266237] hfsplus_get_block+0x12b/0x8c0
[ 15.266238] __block_write_begin_int+0x36b/0x12c0
[ 15.266251] block_write_begin+0x77/0x110
[ 15.266252] cont_write_begin+0x428/0x720
[ 15.266259] hfsplus_write_begin+0x51/0x100
[ 15.266262] cont_write_begin+0x272/0x720
[ 15.266270] hfsplus_write_begin+0x51/0x100
[ 15.266274] generic_perform_write+0x321/0x750
[ 15.266285] generic_file_write_iter+0xc3/0x310
[ 15.266289] __kernel_write_iter+0x2fd/0x800
[ 15.266296] dump_user_range+0x2ea/0x910
[ 15.266301] elf_core_dump+0x2a94/0x2ed0
[ 15.266320] vfs_coredump+0x1d85/0x45e0
[ 15.266349] get_signal+0x12e3/0x1990
[ 15.266357] arch_do_signal_or_restart+0x89/0x580
[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
[ 15.266364] asm_exc_page_fault+0x26/0x30
[ 15.266366] RIP: 0033:0x41bd35
[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
[ 15.266376] </TASK>
When calling hfsplus_bmap_alloc to allocate a free node, this function
first retrieves the bitmap from header node and map node using node->page
together with the offset and length from hfs_brec_lenoff
```
len = hfs_brec_lenoff(node, 2, &off16);
off = off16;
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
data = kmap_local_page(*pagep);
```
However, if the retrieved offset or length is invalid(i.e. exceeds
node_size), the code may end up accessing pages outside the allocated
range for this node.
This patch adds proper validation of both offset and length before use,
preventing out-of-bounds page access. Move is_bnode_offset_valid and
check_and_correct_requested_length to hfsplus_fs.h, as they may be
required by other functions.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c",
"fs/hfsplus/btree.c",
"fs/hfsplus/hfsplus_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7d9f600c7c3ff5dab36181a388af55f2c95604c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40dfe7a4215a1f20842561ffaf5a6f83a987e75b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "418e48cab99c52c1760636a4dbe464bf6db2018b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0058d20d76182861dbdd8fd6e2dd8d18d6d3becf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f40a2b3969daf10dca4dea6f6dd0e813f79b227",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17ed51cfce6c62cffb97059ef392ad2e0245806e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "068a46df3e6acc68fb9db0a6313ab379a11ecd6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c",
"fs/hfsplus/btree.c",
"fs/hfsplus/hfsplus_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: validate record offset in hfsplus_bmap_alloc\n\nhfsplus_bmap_alloc can trigger a crash if a\nrecord offset or length is larger than node_size\n\n[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0\n[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183\n[ 15.265949]\n[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)\n[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 15.266167] Call Trace:\n[ 15.266168] \u003cTASK\u003e\n[ 15.266169] dump_stack_lvl+0x53/0x70\n[ 15.266173] print_report+0xd0/0x660\n[ 15.266181] kasan_report+0xce/0x100\n[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0\n[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0\n[ 15.266217] hfsplus_brec_insert+0x870/0xb00\n[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570\n[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910\n[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200\n[ 15.266233] hfsplus_file_extend+0x5a7/0x1000\n[ 15.266237] hfsplus_get_block+0x12b/0x8c0\n[ 15.266238] __block_write_begin_int+0x36b/0x12c0\n[ 15.266251] block_write_begin+0x77/0x110\n[ 15.266252] cont_write_begin+0x428/0x720\n[ 15.266259] hfsplus_write_begin+0x51/0x100\n[ 15.266262] cont_write_begin+0x272/0x720\n[ 15.266270] hfsplus_write_begin+0x51/0x100\n[ 15.266274] generic_perform_write+0x321/0x750\n[ 15.266285] generic_file_write_iter+0xc3/0x310\n[ 15.266289] __kernel_write_iter+0x2fd/0x800\n[ 15.266296] dump_user_range+0x2ea/0x910\n[ 15.266301] elf_core_dump+0x2a94/0x2ed0\n[ 15.266320] vfs_coredump+0x1d85/0x45e0\n[ 15.266349] get_signal+0x12e3/0x1990\n[ 15.266357] arch_do_signal_or_restart+0x89/0x580\n[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110\n[ 15.266364] asm_exc_page_fault+0x26/0x30\n[ 15.266366] RIP: 0033:0x41bd35\n[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 \u003cf3\u003e 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f\n[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283\n[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000\n[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100\n[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000\n[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000\n[ 15.266376] \u003c/TASK\u003e\n\nWhen calling hfsplus_bmap_alloc to allocate a free node, this function\nfirst retrieves the bitmap from header node and map node using node-\u003epage\ntogether with the offset and length from hfs_brec_lenoff\n\n```\nlen = hfs_brec_lenoff(node, 2, \u0026off16);\noff = off16;\n\noff += node-\u003epage_offset;\npagep = node-\u003epage + (off \u003e\u003e PAGE_SHIFT);\ndata = kmap_local_page(*pagep);\n```\n\nHowever, if the retrieved offset or length is invalid(i.e. exceeds\nnode_size), the code may end up accessing pages outside the allocated\nrange for this node.\n\nThis patch adds proper validation of both offset and length before use,\npreventing out-of-bounds page access. Move is_bnode_offset_valid and\ncheck_and_correct_requested_length to hfsplus_fs.h, as they may be\nrequired by other functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:44.685Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7d9f600c7c3ff5dab36181a388af55f2c95604c"
},
{
"url": "https://git.kernel.org/stable/c/40dfe7a4215a1f20842561ffaf5a6f83a987e75b"
},
{
"url": "https://git.kernel.org/stable/c/418e48cab99c52c1760636a4dbe464bf6db2018b"
},
{
"url": "https://git.kernel.org/stable/c/0058d20d76182861dbdd8fd6e2dd8d18d6d3becf"
},
{
"url": "https://git.kernel.org/stable/c/4f40a2b3969daf10dca4dea6f6dd0e813f79b227"
},
{
"url": "https://git.kernel.org/stable/c/17ed51cfce6c62cffb97059ef392ad2e0245806e"
},
{
"url": "https://git.kernel.org/stable/c/068a46df3e6acc68fb9db0a6313ab379a11ecd6f"
},
{
"url": "https://git.kernel.org/stable/c/738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20"
}
],
"title": "hfs: validate record offset in hfsplus_bmap_alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40349",
"datePublished": "2025-12-16T13:30:23.092Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:44.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68799 (GCVE-0-2025-68799)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
caif: fix integer underflow in cffrml_receive()
The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.
If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.
This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.
Fix this by validating that len >= 2 before performing the subtraction.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/caif/cffrml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "c54091eec6fed19e94182aa05dd6846600a642f7",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "785c7be6361630070790f6235b696da156ac71b3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "f818cd472565f8b0c2c409b040e0121c5cf8592c",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "21fdcc00656a60af3c7aae2dea8dd96abd35519c",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "8a11ff0948b5ad09b71896b7ccc850625f9878d1",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/caif/cffrml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif: fix integer underflow in cffrml_receive()\n\nThe cffrml_receive() function extracts a length field from the packet\nheader and, when FCS is disabled, subtracts 2 from this length without\nvalidating that len \u003e= 2.\n\nIf an attacker sends a malicious packet with a length field of 0 or 1\nto an interface with FCS disabled, the subtraction causes an integer\nunderflow.\n\nThis can lead to memory exhaustion and kernel instability, potential\ninformation disclosure if padding contains uninitialized kernel memory.\n\nFix this by validating that len \u003e= 2 before performing the subtraction."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:47.455Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691"
},
{
"url": "https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7"
},
{
"url": "https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3"
},
{
"url": "https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c"
},
{
"url": "https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3"
},
{
"url": "https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c"
},
{
"url": "https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1"
}
],
"title": "caif: fix integer underflow in cffrml_receive()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68799",
"datePublished": "2026-01-13T15:29:09.012Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-02-09T08:33:47.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71180 (GCVE-0-2025-71180)
Vulnerability from cvelistv5
Published
2026-01-31 11:38
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as
CONFIG_PROVE_RAW_LOCK_NESTING warns:
=============================
[ BUG: Invalid wait context ]
6.18.0-rc1+git... #1
-----------------------------
some-user-space-process/1251 is trying to lock:
(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]
other info that might help us debug this:
context-{2:2}
no locks held by some-user-space-process/....
stack backtrace:
CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT
Call trace:
show_stack (C)
dump_stack_lvl
dump_stack
__lock_acquire
lock_acquire
_raw_spin_lock_irqsave
counter_push_event [counter]
interrupt_cnt_isr [interrupt_cnt]
__handle_irq_event_percpu
handle_irq_event
handle_simple_irq
handle_irq_desc
generic_handle_domain_irq
gpio_irq_handler
handle_irq_desc
generic_handle_domain_irq
gic_handle_irq
call_on_irq_stack
do_interrupt_handler
el0_interrupt
__el0_irq_handler_common
el0t_64_irq_handler
el0t_64_irq
... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an
alternative to switching to raw_spinlock_t, because the latter would limit
all potential nested locks to raw_spinlock_t only.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a55ebd47f21f6f0472766fb52c973849e31d1466 Version: a55ebd47f21f6f0472766fb52c973849e31d1466 Version: a55ebd47f21f6f0472766fb52c973849e31d1466 Version: a55ebd47f21f6f0472766fb52c973849e31d1466 Version: a55ebd47f21f6f0472766fb52c973849e31d1466 Version: a55ebd47f21f6f0472766fb52c973849e31d1466 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/counter/interrupt-cnt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef668c9a2261ec9287faba6e6ef05a98b391aa2b",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "51d2e5d6491447258cb39ff1deb93df15d3c23cb",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "49a66829dd3653695e60d7cae13521d131362fcd",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "425886b1f8304621b3f16632b274357067d5f13f",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
},
{
"lessThan": "23f9485510c338476b9735d516c1d4aacb810d46",
"status": "affected",
"version": "a55ebd47f21f6f0472766fb52c973849e31d1466",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/counter/interrupt-cnt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: interrupt-cnt: Drop IRQF_NO_THREAD flag\n\nAn IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as\nCONFIG_PROVE_RAW_LOCK_NESTING warns:\n=============================\n[ BUG: Invalid wait context ]\n6.18.0-rc1+git... #1\n-----------------------------\nsome-user-space-process/1251 is trying to lock:\n(\u0026counter-\u003eevents_list_lock){....}-{3:3}, at: counter_push_event [counter]\nother info that might help us debug this:\ncontext-{2:2}\nno locks held by some-user-space-process/....\nstack backtrace:\nCPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT\nCall trace:\n show_stack (C)\n dump_stack_lvl\n dump_stack\n __lock_acquire\n lock_acquire\n _raw_spin_lock_irqsave\n counter_push_event [counter]\n interrupt_cnt_isr [interrupt_cnt]\n __handle_irq_event_percpu\n handle_irq_event\n handle_simple_irq\n handle_irq_desc\n generic_handle_domain_irq\n gpio_irq_handler\n handle_irq_desc\n generic_handle_domain_irq\n gic_handle_irq\n call_on_irq_stack\n do_interrupt_handler\n el0_interrupt\n __el0_irq_handler_common\n el0t_64_irq_handler\n el0t_64_irq\n\n... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an\nalternative to switching to raw_spinlock_t, because the latter would limit\nall potential nested locks to raw_spinlock_t only."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:04.225Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef668c9a2261ec9287faba6e6ef05a98b391aa2b"
},
{
"url": "https://git.kernel.org/stable/c/51d2e5d6491447258cb39ff1deb93df15d3c23cb"
},
{
"url": "https://git.kernel.org/stable/c/1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c"
},
{
"url": "https://git.kernel.org/stable/c/49a66829dd3653695e60d7cae13521d131362fcd"
},
{
"url": "https://git.kernel.org/stable/c/425886b1f8304621b3f16632b274357067d5f13f"
},
{
"url": "https://git.kernel.org/stable/c/23f9485510c338476b9735d516c1d4aacb810d46"
}
],
"title": "counter: interrupt-cnt: Drop IRQF_NO_THREAD flag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71180",
"datePublished": "2026-01-31T11:38:52.481Z",
"dateReserved": "2026-01-31T11:36:51.183Z",
"dateUpdated": "2026-02-09T08:36:04.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68266 (GCVE-0-2025-68266)
Vulnerability from cvelistv5
Published
2025-12-16 14:47
Modified
2026-01-19 12:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bfs: Reconstruct file type when loading from disk
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted
or when the 32bits "attributes" field loaded from disk are corrupted.
A documentation says that BFS uses only lower 9 bits of the "mode" field.
But I can't find an explicit explanation that the unused upper 23 bits
(especially, the S_IFMT bits) are initialized with 0.
Therefore, ignore the S_IFMT bits of the "mode" field loaded from disk.
Also, verify that the value of the "attributes" field loaded from disk is
either BFS_VREG or BFS_VDIR (because BFS supports only regular files and
the root directory).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/bfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8f73336b75bd3457b6f9410f2a0601a238f32238",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9f626396bfe66f49b743601e862767928237cc0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "77899444d46162aeb65f229590c26ba266864223",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8cb796e7e2cb7971311ba236922f5e7e1be77e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34ab4c75588c07cca12884f2bf6b0347c7a13872",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/bfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfs: Reconstruct file type when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode-\u003ei_mode can become bogus when\nthe S_IFMT bits of the 32bits \"mode\" field loaded from disk are corrupted\nor when the 32bits \"attributes\" field loaded from disk are corrupted.\n\nA documentation says that BFS uses only lower 9 bits of the \"mode\" field.\nBut I can\u0027t find an explicit explanation that the unused upper 23 bits\n(especially, the S_IFMT bits) are initialized with 0.\n\nTherefore, ignore the S_IFMT bits of the \"mode\" field loaded from disk.\nAlso, verify that the value of the \"attributes\" field loaded from disk is\neither BFS_VREG or BFS_VDIR (because BFS supports only regular files and\nthe root directory)."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:15.201Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c5ec1f57d8fbb953f166a27d9d32473dc8f3e4"
},
{
"url": "https://git.kernel.org/stable/c/aeccd6743ee4fdd1ab8cfcbb5b9a20b613418f6d"
},
{
"url": "https://git.kernel.org/stable/c/8f73336b75bd3457b6f9410f2a0601a238f32238"
},
{
"url": "https://git.kernel.org/stable/c/a9f626396bfe66f49b743601e862767928237cc0"
},
{
"url": "https://git.kernel.org/stable/c/77899444d46162aeb65f229590c26ba266864223"
},
{
"url": "https://git.kernel.org/stable/c/a8cb796e7e2cb7971311ba236922f5e7e1be77e6"
},
{
"url": "https://git.kernel.org/stable/c/34ab4c75588c07cca12884f2bf6b0347c7a13872"
}
],
"title": "bfs: Reconstruct file type when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68266",
"datePublished": "2025-12-16T14:47:06.240Z",
"dateReserved": "2025-12-16T13:41:40.268Z",
"dateUpdated": "2026-01-19T12:18:15.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47666 (GCVE-0-2024-47666)
Vulnerability from cvelistv5
Published
2024-10-09 14:13
Modified
2026-01-05 10:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Set phy->enable_completion only when we wait for it
pm8001_phy_control() populates the enable_completion pointer with a stack
address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and
returns. The problem arises when a phy control response comes late. After
300 ms the pm8001_phy_control() function returns and the passed
enable_completion stack address is no longer valid. Late phy control
response invokes complete() on a dangling enable_completion pointer which
leads to a kernel crash.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 869ddbdcae3b4fb83b99889abae31544c149b210 Version: 869ddbdcae3b4fb83b99889abae31544c149b210 Version: 869ddbdcae3b4fb83b99889abae31544c149b210 Version: 869ddbdcae3b4fb83b99889abae31544c149b210 Version: 869ddbdcae3b4fb83b99889abae31544c149b210 Version: 869ddbdcae3b4fb83b99889abae31544c149b210 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T13:21:42.621552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T13:21:56.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddc501f4130f4baa787cb6cfa309af697179f475",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "a5d954802bda1aabcba49633cd94bad91c94113f",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "e23ee0cc5bded07e700553aecc333bb20c768546",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "7b1d779647afaea9185fa2f150b1721e7c1aae89",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "f14d3e1aa613311c744af32d75125e95fc8ffb84",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
},
{
"lessThan": "e4f949ef1516c0d74745ee54a0f4882c1f6c7aea",
"status": "affected",
"version": "869ddbdcae3b4fb83b99889abae31544c149b210",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Set phy-\u003eenable_completion only when we wait for it\n\npm8001_phy_control() populates the enable_completion pointer with a stack\naddress, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and\nreturns. The problem arises when a phy control response comes late. After\n300 ms the pm8001_phy_control() function returns and the passed\nenable_completion stack address is no longer valid. Late phy control\nresponse invokes complete() on a dangling enable_completion pointer which\nleads to a kernel crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:53:49.051Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddc501f4130f4baa787cb6cfa309af697179f475"
},
{
"url": "https://git.kernel.org/stable/c/a5d954802bda1aabcba49633cd94bad91c94113f"
},
{
"url": "https://git.kernel.org/stable/c/e23ee0cc5bded07e700553aecc333bb20c768546"
},
{
"url": "https://git.kernel.org/stable/c/7b1d779647afaea9185fa2f150b1721e7c1aae89"
},
{
"url": "https://git.kernel.org/stable/c/f14d3e1aa613311c744af32d75125e95fc8ffb84"
},
{
"url": "https://git.kernel.org/stable/c/e4f949ef1516c0d74745ee54a0f4882c1f6c7aea"
}
],
"title": "scsi: pm80xx: Set phy-\u003eenable_completion only when we wait for it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47666",
"datePublished": "2024-10-09T14:13:58.849Z",
"dateReserved": "2024-09-30T16:00:12.936Z",
"dateUpdated": "2026-01-05T10:53:49.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71147 (GCVE-0-2025-71147)
Vulnerability from cvelistv5
Published
2026-01-23 14:15
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'
but it is not freed in the failure paths. Address this by wrapping the blob
into with a cleanup helper.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f2219745250f388edacabe6cca73654131c67d0a Version: f2219745250f388edacabe6cca73654131c67d0a Version: f2219745250f388edacabe6cca73654131c67d0a Version: f2219745250f388edacabe6cca73654131c67d0a Version: f2219745250f388edacabe6cca73654131c67d0a Version: f2219745250f388edacabe6cca73654131c67d0a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fd7df4636d8fd5e3592371967a5941204368936",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "af0689cafb127a8d1af78cc8b72585c9b2a19ecd",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "19166de9737218b77122c41a5730ac87025e089f",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "9b015f2918b95bdde2ca9cefa10ef02b138aae1e",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "9e7c63c69f57b1db1a8a1542359a6167ff8fcef1",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "62cd5d480b9762ce70d720a81fa5b373052ae05f",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix a memory leak in tpm2_load_cmd\n\n\u0027tpm2_load_cmd\u0027 allocates a tempoary blob indirectly via \u0027tpm2_key_decode\u0027\nbut it is not freed in the failure paths. Address this by wrapping the blob\ninto with a cleanup helper."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:44.178Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936"
},
{
"url": "https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd"
},
{
"url": "https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f"
},
{
"url": "https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e"
},
{
"url": "https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1"
},
{
"url": "https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f"
}
],
"title": "KEYS: trusted: Fix a memory leak in tpm2_load_cmd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71147",
"datePublished": "2026-01-23T14:15:13.945Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:44.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68804 (GCVE-0-2025-68804)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
After unbinding the driver, another kthread `cros_ec_console_log_work`
is still accessing the device, resulting an UAF and crash.
The driver doesn't unregister the EC device in .remove() which should
shutdown sub-devices synchronously. Fix it.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 26a14267aff218c60b89007fdb44ca392ba6122c Version: 26a14267aff218c60b89007fdb44ca392ba6122c Version: 26a14267aff218c60b89007fdb44ca392ba6122c Version: 26a14267aff218c60b89007fdb44ca392ba6122c Version: 26a14267aff218c60b89007fdb44ca392ba6122c Version: 26a14267aff218c60b89007fdb44ca392ba6122c Version: 26a14267aff218c60b89007fdb44ca392ba6122c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_ishtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27037916db38e6b78a0242031d3b93d997b84020",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "e1da6e399df976dd04c7c73ec008bc81da368a95",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "8dc1f5a85286290dbf04dd5951d020570f49779b",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "393b8f9bedc7806acb9c47cefdbdb223b4b6164b",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "4701493ba37654b3c38b526f6591cf0b02aa172f",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "24a2062257bbdfc831de5ed21c27b04b5bdf2437",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "944edca81e7aea15f83cf9a13a6ab67f711e8abd",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_ishtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver\n\nAfter unbinding the driver, another kthread `cros_ec_console_log_work`\nis still accessing the device, resulting an UAF and crash.\n\nThe driver doesn\u0027t unregister the EC device in .remove() which should\nshutdown sub-devices synchronously. Fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:53.030Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020"
},
{
"url": "https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95"
},
{
"url": "https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b"
},
{
"url": "https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b"
},
{
"url": "https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f"
},
{
"url": "https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437"
},
{
"url": "https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd"
}
],
"title": "platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68804",
"datePublished": "2026-01-13T15:29:12.418Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:53.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40110 (GCVE-0-2025-40110)
Vulnerability from cvelistv5
Published
2025-11-12 01:07
Modified
2026-01-19 12:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Check that the resource which is converted to a surface exists before
trying to use the cursor snooper on it.
vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers
because some svga commands accept SVGA3D_INVALID_ID to mean "no surface",
unfortunately functions that accept the actual surfaces as objects might
(and in case of the cursor snooper, do not) be able to handle null
objects. Make sure that we validate not only the identifier (via the
vmw_cmd_res_check) but also check that the actual resource exists before
trying to do something with it.
Fixes unchecked null-ptr reference in the snooping code.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 Version: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 Version: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 Version: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 Version: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 Version: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 Version: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3332212e93d0f6e24f8fe79f975e077c4e68ca39",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "86aae7053d2da3fdfde7b2e84d86e4af50490505",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "af9d88cbf0fce52f465978360542ef679713491f",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "299cfb5a7deabdf9ecd30071755672af0aced5eb",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "13c9e4ed125e19484234c960efe5ac9c55119523",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "b6fca0a07989f361ceda27cb2d09c555d4d4a964",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "5ac2c0279053a2c5265d46903432fb26ae2d0da2",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a null-ptr access in the cursor snooper\n\nCheck that the resource which is converted to a surface exists before\ntrying to use the cursor snooper on it.\n\nvmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers\nbecause some svga commands accept SVGA3D_INVALID_ID to mean \"no surface\",\nunfortunately functions that accept the actual surfaces as objects might\n(and in case of the cursor snooper, do not) be able to handle null\nobjects. Make sure that we validate not only the identifier (via the\nvmw_cmd_res_check) but also check that the actual resource exists before\ntrying to do something with it.\n\nFixes unchecked null-ptr reference in the snooping code."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:04.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3332212e93d0f6e24f8fe79f975e077c4e68ca39"
},
{
"url": "https://git.kernel.org/stable/c/86aae7053d2da3fdfde7b2e84d86e4af50490505"
},
{
"url": "https://git.kernel.org/stable/c/af9d88cbf0fce52f465978360542ef679713491f"
},
{
"url": "https://git.kernel.org/stable/c/299cfb5a7deabdf9ecd30071755672af0aced5eb"
},
{
"url": "https://git.kernel.org/stable/c/13c9e4ed125e19484234c960efe5ac9c55119523"
},
{
"url": "https://git.kernel.org/stable/c/b6fca0a07989f361ceda27cb2d09c555d4d4a964"
},
{
"url": "https://git.kernel.org/stable/c/5ac2c0279053a2c5265d46903432fb26ae2d0da2"
}
],
"title": "drm/vmwgfx: Fix a null-ptr access in the cursor snooper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40110",
"datePublished": "2025-11-12T01:07:24.739Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2026-01-19T12:18:04.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68263 (GCVE-0-2025-68263)
Vulnerability from cvelistv5
Published
2025-12-16 14:45
Modified
2026-04-02 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: ipc: fix use-after-free in ipc_msg_send_request
ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.
Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():
BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
Write of size 12 at addr ffff888198ee6e20 by task pool/109349
...
Freed by task:
kvfree
ipc_msg_send_request [ksmbd]
ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]
Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
entry->response, freeing it when invalid, and removing the entry from
ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
semantics.
This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de85fb58f9967ba024bb08e0041613d37b57b4d1",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "708a620b471a14466f1f52c90bf3f65ebdb31460",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "759c8c30cfa8706c518e56f67971b1f0932f4b9b",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "8229c6ca50cea701e25a7ee25f48441b582ec5fa",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "1fab1fa091f5aa97265648b53ea031deedd26235",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: ipc: fix use-after-free in ipc_msg_send_request\n\nipc_msg_send_request() waits for a generic netlink reply using an\nipc_msg_table_entry on the stack. The generic netlink handler\n(handle_generic_event()/handle_response()) fills entry-\u003eresponse under\nipc_msg_table_lock, but ipc_msg_send_request() used to validate and free\nentry-\u003eresponse without holding the same lock.\n\nUnder high concurrency this allows a race where handle_response() is\ncopying data into entry-\u003eresponse while ipc_msg_send_request() has just\nfreed it, leading to a slab-use-after-free reported by KASAN in\nhandle_generic_event():\n\n BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]\n Write of size 12 at addr ffff888198ee6e20 by task pool/109349\n ...\n Freed by task:\n kvfree\n ipc_msg_send_request [ksmbd]\n ksmbd_rpc_open -\u003e ksmbd_session_rpc_open [ksmbd]\n\nFix by:\n- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating\n entry-\u003eresponse, freeing it when invalid, and removing the entry from\n ipc_msg_table.\n- Returning the final entry-\u003eresponse pointer to the caller only after\n the hash entry is removed under the lock.\n- Returning NULL in the error path, preserving the original API\n semantics.\n\nThis makes all accesses to entry-\u003eresponse consistent with\nhandle_response(), which already updates and fills the response buffer\nunder ipc_msg_table_lock, and closes the race that allowed the UAF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T08:39:36.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1"
},
{
"url": "https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460"
},
{
"url": "https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e"
},
{
"url": "https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b"
},
{
"url": "https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa"
},
{
"url": "https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235"
}
],
"title": "ksmbd: ipc: fix use-after-free in ipc_msg_send_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68263",
"datePublished": "2025-12-16T14:45:05.218Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-04-02T08:39:36.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71065 (GCVE-0-2025-71065)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid potential deadlock
As Jiaming Zhang and syzbot reported, there is potential deadlock in
f2fs as below:
Chain exists of:
&sbi->cp_rwsem --> fs_reclaim --> sb_internal#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(sb_internal#2);
lock(fs_reclaim);
lock(sb_internal#2);
rlock(&sbi->cp_rwsem);
*** DEADLOCK ***
3 locks held by kswapd0/73:
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197
#2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890
stack backtrace:
CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537
f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]
f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]
f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791
f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867
f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925
f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897
evict+0x504/0x9c0 fs/inode.c:810
f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853
evict+0x504/0x9c0 fs/inode.c:810
dispose_list fs/inode.c:852 [inline]
prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000
super_cache_scan+0x39b/0x4b0 fs/super.c:224
do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437
shrink_slab_memcg mm/shrinker.c:550 [inline]
shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628
shrink_one+0x28a/0x7c0 mm/vmscan.c:4955
shrink_many mm/vmscan.c:5016 [inline]
lru_gen_shrink_node mm/vmscan.c:5094 [inline]
shrink_node+0x315d/0x3780 mm/vmscan.c:6081
kswapd_shrink_node mm/vmscan.c:6941 [inline]
balance_pgdat mm/vmscan.c:7124 [inline]
kswapd+0x147c/0x2800 mm/vmscan.c:7389
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The root cause is deadlock among four locks as below:
kswapd
- fs_reclaim --- Lock A
- shrink_one
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- iput
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- f2fs_truncate
- f2fs_truncate_blocks
- f2fs_do_truncate_blocks
- f2fs_lock_op --- Lock C
ioctl
- f2fs_ioc_commit_atomic_write
- f2fs_lock_op --- Lock C
- __f2fs_commit_atomic_write
- __replace_atomic_write_block
- f2fs_get_dnode_of_data
- __get_node_folio
- f2fs_check_nid_range
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
open
- do_open
- do_truncate
- security_inode_need_killpriv
- f2fs_getxattr
- lookup_all_xattrs
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
- f2fs_commit_super
- read_mapping_folio
- filemap_alloc_folio_noprof
- prepare_alloc_pages
- fs_reclaim_acquire --- Lock A
In order to a
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bd6dff8b801abaa362272894bda795bf0cf1307",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "6c3bab5c6261aa22c561ef56b7365959a90e7d91",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "86a85a7b622e6e8dba69810257733ce5eab5ed55",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "ca8b201f28547e28343a6f00a6e91fa8c09572fe",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock\n\nAs Jiaming Zhang and syzbot reported, there is potential deadlock in\nf2fs as below:\n\nChain exists of:\n \u0026sbi-\u003ecp_rwsem --\u003e fs_reclaim --\u003e sb_internal#2\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n rlock(sb_internal#2);\n lock(fs_reclaim);\n lock(sb_internal#2);\n rlock(\u0026sbi-\u003ecp_rwsem);\n\n *** DEADLOCK ***\n\n3 locks held by kswapd0/73:\n #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]\n #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389\n #1: ffff8880118400e0 (\u0026type-\u003es_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]\n #1: ffff8880118400e0 (\u0026type-\u003es_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197\n #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890\n\nstack backtrace:\nCPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043\n check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175\n check_prev_add kernel/locking/lockdep.c:3165 [inline]\n check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908\n __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537\n f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]\n f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]\n f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791\n f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867\n f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925\n f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897\n evict+0x504/0x9c0 fs/inode.c:810\n f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853\n evict+0x504/0x9c0 fs/inode.c:810\n dispose_list fs/inode.c:852 [inline]\n prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000\n super_cache_scan+0x39b/0x4b0 fs/super.c:224\n do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437\n shrink_slab_memcg mm/shrinker.c:550 [inline]\n shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628\n shrink_one+0x28a/0x7c0 mm/vmscan.c:4955\n shrink_many mm/vmscan.c:5016 [inline]\n lru_gen_shrink_node mm/vmscan.c:5094 [inline]\n shrink_node+0x315d/0x3780 mm/vmscan.c:6081\n kswapd_shrink_node mm/vmscan.c:6941 [inline]\n balance_pgdat mm/vmscan.c:7124 [inline]\n kswapd+0x147c/0x2800 mm/vmscan.c:7389\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nThe root cause is deadlock among four locks as below:\n\nkswapd\n- fs_reclaim\t\t\t\t--- Lock A\n - shrink_one\n - evict\n - f2fs_evict_inode\n - sb_start_intwrite\t\t\t--- Lock B\n\n- iput\n - evict\n - f2fs_evict_inode\n - sb_start_intwrite\t\t\t--- Lock B\n - f2fs_truncate\n - f2fs_truncate_blocks\n - f2fs_do_truncate_blocks\n - f2fs_lock_op\t\t\t--- Lock C\n\nioctl\n- f2fs_ioc_commit_atomic_write\n - f2fs_lock_op\t\t\t\t--- Lock C\n - __f2fs_commit_atomic_write\n - __replace_atomic_write_block\n - f2fs_get_dnode_of_data\n - __get_node_folio\n - f2fs_check_nid_range\n - f2fs_handle_error\n - f2fs_record_errors\n - f2fs_down_write\t\t--- Lock D\n\nopen\n- do_open\n - do_truncate\n - security_inode_need_killpriv\n - f2fs_getxattr\n - lookup_all_xattrs\n - f2fs_handle_error\n - f2fs_record_errors\n - f2fs_down_write\t\t--- Lock D\n - f2fs_commit_super\n - read_mapping_folio\n - filemap_alloc_folio_noprof\n - prepare_alloc_pages\n - fs_reclaim_acquire\t--- Lock A\n\nIn order to a\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:15.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bd6dff8b801abaa362272894bda795bf0cf1307"
},
{
"url": "https://git.kernel.org/stable/c/6c3bab5c6261aa22c561ef56b7365959a90e7d91"
},
{
"url": "https://git.kernel.org/stable/c/86a85a7b622e6e8dba69810257733ce5eab5ed55"
},
{
"url": "https://git.kernel.org/stable/c/ca8b201f28547e28343a6f00a6e91fa8c09572fe"
}
],
"title": "f2fs: fix to avoid potential deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71065",
"datePublished": "2026-01-13T15:31:21.235Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-02-09T08:34:15.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23403 (GCVE-0-2026-23403)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix memory leak in verify_header
The function sets `*ns = NULL` on every call, leaking the namespace
string allocated in previous iterations when multiple profiles are
unpacked. This also breaks namespace consistency checking since *ns
is always NULL when the comparison is made.
Remove the incorrect assignment.
The caller (aa_unpack) initializes *ns to NULL once before the loop,
which is sufficient.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f Version: dd51c84857630e77c139afe4d9bba65fc051dc3f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d678eb0fe55c9195d9a253e8c5b82a87b930737",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "6b79abcb3c985e153fcf9d395e1d4336081aabc2",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "bcf82c0c5a8b383fd2d5d8f3fd880cdcab2ac557",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "663ce34786e759ebcbeb3060685c20bcc886d51a",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "786e2c2a87d9c505f33321d1fd23a176aa8ddeb1",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "4f0889f2df1ab99224a5e1ac4e20437eea5fe38e",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "42fd831abfc15d0643c14688f0522556b347e7e6",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "e38c55d9f834e5b848bfed0f5c586aaf45acb825",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix memory leak in verify_header\n\nThe function sets `*ns = NULL` on every call, leaking the namespace\nstring allocated in previous iterations when multiple profiles are\nunpacked. This also breaks namespace consistency checking since *ns\nis always NULL when the comparison is made.\n\nRemove the incorrect assignment.\nThe caller (aa_unpack) initializes *ns to NULL once before the loop,\nwhich is sufficient."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:36.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d678eb0fe55c9195d9a253e8c5b82a87b930737"
},
{
"url": "https://git.kernel.org/stable/c/6b79abcb3c985e153fcf9d395e1d4336081aabc2"
},
{
"url": "https://git.kernel.org/stable/c/bcf82c0c5a8b383fd2d5d8f3fd880cdcab2ac557"
},
{
"url": "https://git.kernel.org/stable/c/663ce34786e759ebcbeb3060685c20bcc886d51a"
},
{
"url": "https://git.kernel.org/stable/c/786e2c2a87d9c505f33321d1fd23a176aa8ddeb1"
},
{
"url": "https://git.kernel.org/stable/c/4f0889f2df1ab99224a5e1ac4e20437eea5fe38e"
},
{
"url": "https://git.kernel.org/stable/c/42fd831abfc15d0643c14688f0522556b347e7e6"
},
{
"url": "https://git.kernel.org/stable/c/e38c55d9f834e5b848bfed0f5c586aaf45acb825"
}
],
"title": "apparmor: fix memory leak in verify_header",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23403",
"datePublished": "2026-04-01T08:36:34.269Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-18T08:58:36.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68344 (GCVE-0-2025-68344)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: wavefront: Fix integer overflow in sample size validation
The wavefront_send_sample() function has an integer overflow issue
when validating sample size. The header->size field is u32 but gets
cast to int for comparison with dev->freemem
Fix by using unsigned comparison to avoid integer overflow.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/isa/wavefront/wavefront_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "488bf86d60077f52810c60dbdf7468c277880167",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f811071e702fbb74933526e2fbadf8c4ed0c0c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02b63f3bc29265bd9e83191792d200ed563acacf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5588b7c86effffa9bb55383a38800649d7b40778",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bca11de0a277b8baeb7d006f93b543c907b6e782",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1823e08f76c68b9e1d26f6d5ef831b96f61a62a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c4a13ba88594fd4a27292853e736c6b4349823d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/isa/wavefront/wavefront_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: wavefront: Fix integer overflow in sample size validation\n\nThe wavefront_send_sample() function has an integer overflow issue\nwhen validating sample size. The header-\u003esize field is u32 but gets\ncast to int for comparison with dev-\u003efreemem\n\nFix by using unsigned comparison to avoid integer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:32.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/488bf86d60077f52810c60dbdf7468c277880167"
},
{
"url": "https://git.kernel.org/stable/c/d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937"
},
{
"url": "https://git.kernel.org/stable/c/4f811071e702fbb74933526e2fbadf8c4ed0c0c4"
},
{
"url": "https://git.kernel.org/stable/c/02b63f3bc29265bd9e83191792d200ed563acacf"
},
{
"url": "https://git.kernel.org/stable/c/5588b7c86effffa9bb55383a38800649d7b40778"
},
{
"url": "https://git.kernel.org/stable/c/bca11de0a277b8baeb7d006f93b543c907b6e782"
},
{
"url": "https://git.kernel.org/stable/c/1823e08f76c68b9e1d26f6d5ef831b96f61a62a0"
},
{
"url": "https://git.kernel.org/stable/c/0c4a13ba88594fd4a27292853e736c6b4349823d"
}
],
"title": "ALSA: wavefront: Fix integer overflow in sample size validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68344",
"datePublished": "2025-12-24T10:32:37.615Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-02-09T08:31:32.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40245 (GCVE-0-2025-40245)
Vulnerability from cvelistv5
Published
2025-12-04 15:31
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nios2: ensure that memblock.current_limit is set when setting pfn limits
On nios2, with CONFIG_FLATMEM set, the kernel relies on
memblock_get_current_limit() to determine the limits of mem_map, in
particular for max_low_pfn.
Unfortunately, memblock.current_limit is only default initialized to
MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading
to situations where max_low_pfn can erroneously exceed the value of
max_pfn and, thus, the valid range of available DRAM.
This can in turn cause kernel-level paging failures, e.g.:
[ 76.900000] Unable to handle kernel paging request at virtual address 20303000
[ 76.900000] ea = c0080890, ra = c000462c, cause = 14
[ 76.900000] Kernel panic - not syncing: Oops
[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---
This patch fixes this by pre-calculating memblock.current_limit
based on the upper limits of the available memory ranges via
adjust_lowmem_bounds, a simplified version of the equivalent
implementation within the arm architecture.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae Version: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae Version: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae Version: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae Version: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae Version: 7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/nios2/kernel/setup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25f09699edd360b534ccae16bc276c3b52c471f3",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "5c3e38a367822f036227dd52bac82dc4a05157e2",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "b1ec9faef7e36269ca3ec890972a78effbaeb975",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "90f5f715550e07cd6a51f80fc3f062d832c8c997",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "8912814f14e298b83df072fecc1f7ed1b63b1b2c",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
},
{
"lessThan": "a20b83cf45be2057f3d073506779e52c7fa17f94",
"status": "affected",
"version": "7f7bc20bc41a4fbcd2db75b375ac95e5faf958ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/nios2/kernel/setup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnios2: ensure that memblock.current_limit is set when setting pfn limits\n\nOn nios2, with CONFIG_FLATMEM set, the kernel relies on\nmemblock_get_current_limit() to determine the limits of mem_map, in\nparticular for max_low_pfn.\nUnfortunately, memblock.current_limit is only default initialized to\nMEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading\nto situations where max_low_pfn can erroneously exceed the value of\nmax_pfn and, thus, the valid range of available DRAM.\n\nThis can in turn cause kernel-level paging failures, e.g.:\n\n[ 76.900000] Unable to handle kernel paging request at virtual address 20303000\n[ 76.900000] ea = c0080890, ra = c000462c, cause = 14\n[ 76.900000] Kernel panic - not syncing: Oops\n[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---\n\nThis patch fixes this by pre-calculating memblock.current_limit\nbased on the upper limits of the available memory ranges via\nadjust_lowmem_bounds, a simplified version of the equivalent\nimplementation within the arm architecture."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:15.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25f09699edd360b534ccae16bc276c3b52c471f3"
},
{
"url": "https://git.kernel.org/stable/c/5c3e38a367822f036227dd52bac82dc4a05157e2"
},
{
"url": "https://git.kernel.org/stable/c/b1ec9faef7e36269ca3ec890972a78effbaeb975"
},
{
"url": "https://git.kernel.org/stable/c/90f5f715550e07cd6a51f80fc3f062d832c8c997"
},
{
"url": "https://git.kernel.org/stable/c/8912814f14e298b83df072fecc1f7ed1b63b1b2c"
},
{
"url": "https://git.kernel.org/stable/c/a20b83cf45be2057f3d073506779e52c7fa17f94"
}
],
"title": "nios2: ensure that memblock.current_limit is set when setting pfn limits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40245",
"datePublished": "2025-12-04T15:31:34.142Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:15.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23076 (GCVE-0-2026-23076)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ctxfi: Fix potential OOB access in audio mixer handling
In the audio mixer handling code of ctxfi driver, the conf field is
used as a kind of loop index, and it's referred in the index callbacks
(amixer_index() and sum_index()).
As spotted recently by fuzzers, the current code causes OOB access at
those functions.
| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48
| index 8 is out of range for type 'unsigned char [8]'
After the analysis, the cause was found to be the lack of the proper
(re-)initialization of conj field.
This patch addresses those OOB accesses by adding the proper
initializations of the loop indices.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8cc72361481f00253f1e468ade5795427386d593 Version: 8cc72361481f00253f1e468ade5795427386d593 Version: 8cc72361481f00253f1e468ade5795427386d593 Version: 8cc72361481f00253f1e468ade5795427386d593 Version: 8cc72361481f00253f1e468ade5795427386d593 Version: 8cc72361481f00253f1e468ade5795427386d593 Version: 8cc72361481f00253f1e468ade5795427386d593 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/ctxfi/ctamixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6524205326e0c1a21263b5c14e48e14ef7e449ae",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "afca7ff5d5d4d63a1acb95461f55ca9a729feedf",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "8c1d09806e1441bc6a54b9a4f2818918046d5174",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "a8c42d11b0526a89192bd2f79facb4c60c8a1f38",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "d77ba72558cd66704f0fb7e0969f697e87c0f71c",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "873e2360d247eeee642878fcc3398babff7e387c",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
},
{
"lessThan": "61006c540cbdedea83b05577dc7fb7fa18fe1276",
"status": "affected",
"version": "8cc72361481f00253f1e468ade5795427386d593",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/ctxfi/ctamixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Fix potential OOB access in audio mixer handling\n\nIn the audio mixer handling code of ctxfi driver, the conf field is\nused as a kind of loop index, and it\u0027s referred in the index callbacks\n(amixer_index() and sum_index()).\n\nAs spotted recently by fuzzers, the current code causes OOB access at\nthose functions.\n| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48\n| index 8 is out of range for type \u0027unsigned char [8]\u0027\n\nAfter the analysis, the cause was found to be the lack of the proper\n(re-)initialization of conj field.\n\nThis patch addresses those OOB accesses by adding the proper\ninitializations of the loop indices."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:15.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6524205326e0c1a21263b5c14e48e14ef7e449ae"
},
{
"url": "https://git.kernel.org/stable/c/afca7ff5d5d4d63a1acb95461f55ca9a729feedf"
},
{
"url": "https://git.kernel.org/stable/c/8c1d09806e1441bc6a54b9a4f2818918046d5174"
},
{
"url": "https://git.kernel.org/stable/c/a8c42d11b0526a89192bd2f79facb4c60c8a1f38"
},
{
"url": "https://git.kernel.org/stable/c/d77ba72558cd66704f0fb7e0969f697e87c0f71c"
},
{
"url": "https://git.kernel.org/stable/c/873e2360d247eeee642878fcc3398babff7e387c"
},
{
"url": "https://git.kernel.org/stable/c/61006c540cbdedea83b05577dc7fb7fa18fe1276"
}
],
"title": "ALSA: ctxfi: Fix potential OOB access in audio mixer handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23076",
"datePublished": "2026-02-04T16:08:01.204Z",
"dateReserved": "2026-01-13T15:37:45.958Z",
"dateUpdated": "2026-02-09T08:38:15.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68724 (GCVE-0-2025-68724)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 Version: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 Version: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 Version: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 Version: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 Version: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 Version: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 Version: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60a7be5ee74408147e439164ac067e418ca74bb4",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c13c6e9de91d7f1dd7df756b1fa5a1f968839d76",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "dfc1613961828745165aec6552c3818fa14ab725",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c73be4f51eed98fa0c7c189db8f279e1c86bfbf7",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "6af753ac5205115e6c310c8c4236c01b59a1c44f",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "b7090a5c153105b9fd221a5a81459ee8cd5babd6",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "df0845cf447ae1556c3440b8b155de0926cbaa56",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:19.959Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60a7be5ee74408147e439164ac067e418ca74bb4"
},
{
"url": "https://git.kernel.org/stable/c/c13c6e9de91d7f1dd7df756b1fa5a1f968839d76"
},
{
"url": "https://git.kernel.org/stable/c/dfc1613961828745165aec6552c3818fa14ab725"
},
{
"url": "https://git.kernel.org/stable/c/5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c"
},
{
"url": "https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7"
},
{
"url": "https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f"
},
{
"url": "https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6"
},
{
"url": "https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56"
}
],
"title": "crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68724",
"datePublished": "2025-12-24T10:33:08.932Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-02-09T08:32:19.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40049 (GCVE-0-2025-40049)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: fix uninit-value in squashfs_get_parent
Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
This is caused by open_by_handle_at() being called with a file handle
containing an invalid parent inode number. In particular the inode number
is that of a symbolic link, rather than a directory.
Squashfs_get_parent() gets called with that symbolic link inode, and
accesses the parent member field.
unsigned int parent_ino = squashfs_i(inode)->parent;
Because non-directory inodes in Squashfs do not have a parent value, this
is uninitialised, and this causes an uninitialised value access.
The fix is to initialise parent with the invalid inode 0, which will cause
an EINVAL error to be returned.
Regular inodes used to share the parent field with the block_list_start
field. This is removed in this commit to enable the parent field to
contain the invalid inode number 0.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 Version: 122601408d20c77704268f1dea9f9ce4abf997c2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c",
"fs/squashfs/squashfs_fs_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f81a5bc9e924ee1950e0dd82bd10749048390f6e",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "382a47fae449e554ef1e8c198667fd2f3270b945",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "61d38b5ce2782bff3cacaacbb8164087a73ed1a5",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "81a2bca52d43fc9d9abf07408b91255131c5dc53",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "c28b0ca029edf5d0558abcd76cb8c732706cd339",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "1b3ccd0019132880c94bb00ca7088c1749308f82",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "91b99db7a92e57ff48a96a1b10fddfd2547e7f53",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
},
{
"lessThan": "74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf",
"status": "affected",
"version": "122601408d20c77704268f1dea9f9ce4abf997c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c",
"fs/squashfs/squashfs_fs_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: fix uninit-value in squashfs_get_parent\n\nSyzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug.\n\nThis is caused by open_by_handle_at() being called with a file handle\ncontaining an invalid parent inode number. In particular the inode number\nis that of a symbolic link, rather than a directory.\n\nSquashfs_get_parent() gets called with that symbolic link inode, and\naccesses the parent member field.\n\n\tunsigned int parent_ino = squashfs_i(inode)-\u003eparent;\n\nBecause non-directory inodes in Squashfs do not have a parent value, this\nis uninitialised, and this causes an uninitialised value access.\n\nThe fix is to initialise parent with the invalid inode 0, which will cause\nan EINVAL error to be returned.\n\nRegular inodes used to share the parent field with the block_list_start\nfield. This is removed in this commit to enable the parent field to\ncontain the invalid inode number 0."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:55.232Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f81a5bc9e924ee1950e0dd82bd10749048390f6e"
},
{
"url": "https://git.kernel.org/stable/c/382a47fae449e554ef1e8c198667fd2f3270b945"
},
{
"url": "https://git.kernel.org/stable/c/61d38b5ce2782bff3cacaacbb8164087a73ed1a5"
},
{
"url": "https://git.kernel.org/stable/c/81a2bca52d43fc9d9abf07408b91255131c5dc53"
},
{
"url": "https://git.kernel.org/stable/c/c28b0ca029edf5d0558abcd76cb8c732706cd339"
},
{
"url": "https://git.kernel.org/stable/c/1b3ccd0019132880c94bb00ca7088c1749308f82"
},
{
"url": "https://git.kernel.org/stable/c/91b99db7a92e57ff48a96a1b10fddfd2547e7f53"
},
{
"url": "https://git.kernel.org/stable/c/74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf"
}
],
"title": "Squashfs: fix uninit-value in squashfs_get_parent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40049",
"datePublished": "2025-10-28T11:48:25.862Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:16:55.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71066 (GCVE-0-2025-71066)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
zdi-disclosures@trendmicro.com says:
The vulnerability is a race condition between `ets_qdisc_dequeue` and
`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.
Attacker requires the capability to create new user and network namespace
in order to trigger the bug.
See my additional commentary at the end of the analysis.
Analysis:
static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
{
...
// (1) this lock is preventing .change handler (`ets_qdisc_change`)
//to race with .dequeue handler (`ets_qdisc_dequeue`)
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
// (2) the class is added to the q->active
list_add_tail(&q->classes[i].alist, &q->active);
q->classes[i].deficit = quanta[i];
}
}
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
if (q->classes[i].qdisc != &noop_qdisc)
qdisc_hash_add(q->classes[i].qdisc, true);
}
// (3) the qdisc is unlocked, now dequeue can be called in parallel
// to the rest of .change handler
sch_tree_unlock(sch);
ets_offload_change(sch);
for (i = q->nbands; i < oldbands; i++) {
// (4) we're reducing the refcount for our class's qdisc and
// freeing it
qdisc_put(q->classes[i].qdisc);
// (5) If we call .dequeue between (4) and (5), we will have
// a strong UAF and we can control RIP
q->classes[i].qdisc = NULL;
WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
gnet_stats_basic_sync_init(&q->classes[i].bstats);
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
}
return 0;
}
Comment:
This happens because some of the classes have their qdiscs assigned to
NULL, but remain in the active list. This commit fixes this issue by always
removing the class from the active list before deleting and freeing its
associated qdisc
Reproducer Steps
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)
```
DEV="${DEV:-lo}"
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2
PING_BYTES="${PING_BYTES:-48}"
PING_COUNT="${PING_COUNT:-200000}"
PING_DST="${PING_DST:-127.0.0.1}"
SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"
cleanup() {
tc qdisc del dev "$DEV" root 2>/dev/null
}
trap cleanup EXIT
ip link set "$DEV" up
tc qdisc del dev "$DEV" root 2>/dev/null || true
tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"
tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
tc -s qdisc ls dev $DEV
ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
>/dev/null 2>&1 &
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc -s qdisc ls dev $DEV
tc qdisc del dev "$DEV" parent
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ae2659d2c670252759ee9c823c4e039c0e05a6f2 Version: e25bdbc7e951ae5728fee1f4c09485df113d013c Version: de6d25924c2a8c2988c6a385990cafbe742061bf Version: de6d25924c2a8c2988c6a385990cafbe742061bf Version: de6d25924c2a8c2988c6a385990cafbe742061bf Version: de6d25924c2a8c2988c6a385990cafbe742061bf Version: de6d25924c2a8c2988c6a385990cafbe742061bf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "062d5d544e564473450d72e6af83077c2b2ff7c3",
"status": "affected",
"version": "ae2659d2c670252759ee9c823c4e039c0e05a6f2",
"versionType": "git"
},
{
"lessThan": "c7f6e7cc14df72b997258216e99d897d2df0dbbd",
"status": "affected",
"version": "e25bdbc7e951ae5728fee1f4c09485df113d013c",
"versionType": "git"
},
{
"lessThan": "a75d617a4ef08682f5cfaadc01d5141c87e019c9",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "9987cda315c08f63a02423fa2f9a1f6602c861a0",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "06bfb66a7c8b45e3fed01351a4b087410ae5ef39",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "45466141da3c98a0c5fa88be0bc14b4b6a4bd75c",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "ce052b9402e461a9aded599f5b47e76bc727f7de",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n struct netlink_ext_ack *extack)\n{\n...\n\n // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n //to race with .dequeue handler (`ets_qdisc_dequeue`)\n sch_tree_lock(sch);\n\n for (i = nbands; i \u003c oldbands; i++) {\n if (i \u003e= q-\u003enstrict \u0026\u0026 q-\u003eclasses[i].qdisc-\u003eq.qlen)\n list_del_init(\u0026q-\u003eclasses[i].alist);\n qdisc_purge_queue(q-\u003eclasses[i].qdisc);\n }\n\n WRITE_ONCE(q-\u003enbands, nbands);\n for (i = nstrict; i \u003c q-\u003enstrict; i++) {\n if (q-\u003eclasses[i].qdisc-\u003eq.qlen) {\n\t\t // (2) the class is added to the q-\u003eactive\n list_add_tail(\u0026q-\u003eclasses[i].alist, \u0026q-\u003eactive);\n q-\u003eclasses[i].deficit = quanta[i];\n }\n }\n WRITE_ONCE(q-\u003enstrict, nstrict);\n memcpy(q-\u003eprio2band, priomap, sizeof(priomap));\n\n for (i = 0; i \u003c q-\u003enbands; i++)\n WRITE_ONCE(q-\u003eclasses[i].quantum, quanta[i]);\n\n for (i = oldbands; i \u003c q-\u003enbands; i++) {\n q-\u003eclasses[i].qdisc = queues[i];\n if (q-\u003eclasses[i].qdisc != \u0026noop_qdisc)\n qdisc_hash_add(q-\u003eclasses[i].qdisc, true);\n }\n\n // (3) the qdisc is unlocked, now dequeue can be called in parallel\n // to the rest of .change handler\n sch_tree_unlock(sch);\n\n ets_offload_change(sch);\n for (i = q-\u003enbands; i \u003c oldbands; i++) {\n\t // (4) we\u0027re reducing the refcount for our class\u0027s qdisc and\n\t // freeing it\n qdisc_put(q-\u003eclasses[i].qdisc);\n\t // (5) If we call .dequeue between (4) and (5), we will have\n\t // a strong UAF and we can control RIP\n q-\u003eclasses[i].qdisc = NULL;\n WRITE_ONCE(q-\u003eclasses[i].quantum, 0);\n q-\u003eclasses[i].deficit = 0;\n gnet_stats_basic_sync_init(\u0026q-\u003eclasses[i].bstats);\n memset(\u0026q-\u003eclasses[i].qstats, 0, sizeof(q-\u003eclasses[i].qstats));\n }\n return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\" # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n tc qdisc del dev \"$DEV\" root 2\u003e/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2\u003e/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n \u003e/dev/null 2\u003e\u00261 \u0026\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:16.660Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3"
},
{
"url": "https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd"
},
{
"url": "https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9"
},
{
"url": "https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0"
},
{
"url": "https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39"
},
{
"url": "https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c"
},
{
"url": "https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de"
}
],
"title": "net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71066",
"datePublished": "2026-01-13T15:31:21.931Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-02-09T08:34:16.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40304 (GCVE-0-2025-40304)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Add bounds checking to prevent writes past framebuffer boundaries when
rendering text near screen edges. Return early if the Y position is off-screen
and clip image height to screen boundary. Break from the rendering loop if the
X position is off-screen. When clipping image width to fit the screen, update
the character count to match the clipped width to prevent buffer size
mismatches.
Without the character count update, bit_putcs_aligned and bit_putcs_unaligned
receive mismatched parameters where the buffer is allocated for the clipped
width but cnt reflects the original larger count, causing out-of-bounds writes.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "996bfaa7372d6718b6d860bdf78f6618e850c702",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f0982400648a3e00580253e0c48e991f34d2684c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ebc0730b490c7f27340b1222e01dd106e820320d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "86df8ade88d290725554cefd03101ecd0fbd3752",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "15ba9acafb0517f8359ca30002c189a68ddbb939",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d1359e11674ed4274934eac8a71877ae5ae7bbb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3637d34b35b287ab830e66048841ace404382b67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds\n\nAdd bounds checking to prevent writes past framebuffer boundaries when\nrendering text near screen edges. Return early if the Y position is off-screen\nand clip image height to screen boundary. Break from the rendering loop if the\nX position is off-screen. When clipping image width to fit the screen, update\nthe character count to match the clipped width to prevent buffer size\nmismatches.\n\nWithout the character count update, bit_putcs_aligned and bit_putcs_unaligned\nreceive mismatched parameters where the buffer is allocated for the clipped\nwidth but cnt reflects the original larger count, causing out-of-bounds writes."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:26.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/996bfaa7372d6718b6d860bdf78f6618e850c702"
},
{
"url": "https://git.kernel.org/stable/c/f0982400648a3e00580253e0c48e991f34d2684c"
},
{
"url": "https://git.kernel.org/stable/c/1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1"
},
{
"url": "https://git.kernel.org/stable/c/ebc0730b490c7f27340b1222e01dd106e820320d"
},
{
"url": "https://git.kernel.org/stable/c/86df8ade88d290725554cefd03101ecd0fbd3752"
},
{
"url": "https://git.kernel.org/stable/c/15ba9acafb0517f8359ca30002c189a68ddbb939"
},
{
"url": "https://git.kernel.org/stable/c/2d1359e11674ed4274934eac8a71877ae5ae7bbb"
},
{
"url": "https://git.kernel.org/stable/c/3637d34b35b287ab830e66048841ace404382b67"
}
],
"title": "fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40304",
"datePublished": "2025-12-08T00:46:29.013Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:26.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71144 (GCVE-0-2025-71144)
Vulnerability from cvelistv5
Published
2026-01-14 15:08
Modified
2026-02-19 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: ensure context reset on disconnect()
After the blamed commit below, if the MPC subflow is already in TCP_CLOSE
status or has fallback to TCP at mptcp_disconnect() time,
mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later
__mptcp_close_ssk() does not reset anymore the related subflow context.
Any later connection will be created with both the `request_mptcp` flag
and the msk-level fallback status off (it is unconditionally cleared at
MPTCP disconnect time), leading to a warning in subflow_data_ready():
WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Modules linked in:
CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09
RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435
RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005
RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b
R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0
Call Trace:
<TASK>
tcp_data_ready (net/ipv4/tcp_input.c:5356)
tcp_data_queue (net/ipv4/tcp_input.c:5445)
tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)
tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
__release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))
release_sock (net/core/sock.c:3737)
mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)
inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))
__sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))
__x64_sys_sendto (net/socket.c:2247)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f883326702d
Address the issue setting an explicit `fastclosing` flag at fastclose
time, and checking such flag after mptcp_do_fastclose().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9ea05fabce31ff93a0adae8221c58bc6d7b832f3 Version: 3a13454fd098ed51e733958488f8ec62859a9ed8 Version: f6fb2cbc91a81178dea23d463503b4525a76825d Version: ae155060247be8dcae3802a95bd1bdf93ab3215d Version: ae155060247be8dcae3802a95bd1bdf93ab3215d Version: c4f7b0916b95fd2226e5ab98882482b08f52e1c0 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "226fff52e7ed9fc8cd63327133739b3d92537ffd",
"status": "affected",
"version": "9ea05fabce31ff93a0adae8221c58bc6d7b832f3",
"versionType": "git"
},
{
"lessThan": "5c7c7135468f3fc6379cde9777a2c18bfe92d82f",
"status": "affected",
"version": "3a13454fd098ed51e733958488f8ec62859a9ed8",
"versionType": "git"
},
{
"lessThan": "1c7c3a9314d8a7fc0e9a508606466a967c8e774a",
"status": "affected",
"version": "f6fb2cbc91a81178dea23d463503b4525a76825d",
"versionType": "git"
},
{
"lessThan": "f1a77dfc3b045c3dd5f6e64189b9f52b90399f07",
"status": "affected",
"version": "ae155060247be8dcae3802a95bd1bdf93ab3215d",
"versionType": "git"
},
{
"lessThan": "86730ac255b0497a272704de9a1df559f5d6602e",
"status": "affected",
"version": "ae155060247be8dcae3802a95bd1bdf93ab3215d",
"versionType": "git"
},
{
"status": "affected",
"version": "c4f7b0916b95fd2226e5ab98882482b08f52e1c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "6.12.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.5",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure context reset on disconnect()\n\nAfter the blamed commit below, if the MPC subflow is already in TCP_CLOSE\nstatus or has fallback to TCP at mptcp_disconnect() time,\nmptcp_do_fastclose() skips setting the `send_fastclose flag` and the later\n__mptcp_close_ssk() does not reset anymore the related subflow context.\n\nAny later connection will be created with both the `request_mptcp` flag\nand the msk-level fallback status off (it is unconditionally cleared at\nMPTCP disconnect time), leading to a warning in subflow_data_ready():\n\n WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n Modules linked in:\n CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 \u003c0f\u003e 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09\n RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435\n RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005\n RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b\n R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n tcp_data_ready (net/ipv4/tcp_input.c:5356)\n tcp_data_queue (net/ipv4/tcp_input.c:5445)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)\n tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)\n __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))\n release_sock (net/core/sock.c:3737)\n mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)\n inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))\n __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))\n __x64_sys_sendto (net/socket.c:2247)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n RIP: 0033:0x7f883326702d\n\nAddress the issue setting an explicit `fastclosing` flag at fastclose\ntime, and checking such flag after mptcp_do_fastclose()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T15:39:23.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/226fff52e7ed9fc8cd63327133739b3d92537ffd"
},
{
"url": "https://git.kernel.org/stable/c/5c7c7135468f3fc6379cde9777a2c18bfe92d82f"
},
{
"url": "https://git.kernel.org/stable/c/1c7c3a9314d8a7fc0e9a508606466a967c8e774a"
},
{
"url": "https://git.kernel.org/stable/c/f1a77dfc3b045c3dd5f6e64189b9f52b90399f07"
},
{
"url": "https://git.kernel.org/stable/c/86730ac255b0497a272704de9a1df559f5d6602e"
}
],
"title": "mptcp: ensure context reset on disconnect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71144",
"datePublished": "2026-01-14T15:08:56.700Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-02-19T15:39:23.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23091 (GCVE-0-2026-23091)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
intel_th: fix device leak on output open()
Make sure to drop the reference taken when looking up the th device
during output device open() on errors and on close().
Note that a recent commit fixed the leak in a couple of open() error
paths but not all of them, and the reference is still leaking on
successful open().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 39f4034693b7c7bd1fe4cb58c93259d600f55561 Version: 39f4034693b7c7bd1fe4cb58c93259d600f55561 Version: 39f4034693b7c7bd1fe4cb58c93259d600f55561 Version: 39f4034693b7c7bd1fe4cb58c93259d600f55561 Version: 39f4034693b7c7bd1fe4cb58c93259d600f55561 Version: 39f4034693b7c7bd1fe4cb58c93259d600f55561 Version: 39f4034693b7c7bd1fe4cb58c93259d600f55561 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/intel_th/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af4b9467296b9a16ebc008147238070236982b6d",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "64015cbf06e8bb75b81ae95b997e847b55280f7f",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "b71e64ef7ff9443835d1333e3e80ab1e49e5209f",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "bf7785434b5d05d940d936b78925080950bd54dd",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "0fca16c5591534cc1fec8b6181277ee3a3d0f26c",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "f9b059bda4276f2bb72cb98ec7875a747f042ea2",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "95fc36a234da24bbc5f476f8104a5a15f99ed3e3",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/intel_th/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nintel_th: fix device leak on output open()\n\nMake sure to drop the reference taken when looking up the th device\nduring output device open() on errors and on close().\n\nNote that a recent commit fixed the leak in a couple of open() error\npaths but not all of them, and the reference is still leaking on\nsuccessful open()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:31.396Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af4b9467296b9a16ebc008147238070236982b6d"
},
{
"url": "https://git.kernel.org/stable/c/64015cbf06e8bb75b81ae95b997e847b55280f7f"
},
{
"url": "https://git.kernel.org/stable/c/b71e64ef7ff9443835d1333e3e80ab1e49e5209f"
},
{
"url": "https://git.kernel.org/stable/c/bf7785434b5d05d940d936b78925080950bd54dd"
},
{
"url": "https://git.kernel.org/stable/c/0fca16c5591534cc1fec8b6181277ee3a3d0f26c"
},
{
"url": "https://git.kernel.org/stable/c/f9b059bda4276f2bb72cb98ec7875a747f042ea2"
},
{
"url": "https://git.kernel.org/stable/c/95fc36a234da24bbc5f476f8104a5a15f99ed3e3"
}
],
"title": "intel_th: fix device leak on output open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23091",
"datePublished": "2026-02-04T16:08:14.295Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-09T08:38:31.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40306 (GCVE-0-2025-40306)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2025-12-20 08:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
orangefs: fix xattr related buffer overflow...
Willy Tarreau <w@1wt.eu> forwarded me a message from
Disclosure <disclosure@aisle.com> with the following
warning:
> The helper `xattr_key()` uses the pointer variable in the loop condition
> rather than dereferencing it. As `key` is incremented, it remains non-NULL
> (until it runs into unmapped memory), so the loop does not terminate on
> valid C strings and will walk memory indefinitely, consuming CPU or hanging
> the thread.
I easily reproduced this with setfattr and getfattr, causing a kernel
oops, hung user processes and corrupted orangefs files. Disclosure
sent along a diff (not a patch) with a suggested fix, which I based
this patch on.
After xattr_key started working right, xfstest generic/069 exposed an
xattr related memory leak that lead to OOM. xattr_key returns
a hashed key. When adding xattrs to the orangefs xattr cache, orangefs
used hash_add, a kernel hashing macro. hash_add also hashes the key using
hash_log which resulted in additions to the xattr cache going to the wrong
hash bucket. generic/069 tortures a single file and orangefs does a
getattr for the xattr "security.capability" every time. Orangefs
negative caches on xattrs which includes a kmalloc. Since adds to the
xattr cache were going to the wrong bucket, every getattr for
"security.capability" resulted in another kmalloc, none of which were
ever freed.
I changed the two uses of hash_add to hlist_add_head instead
and the memory leak ceased and generic/069 quit throwing furniture.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/orangefs/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6564ff6b53c9a8dc786b6f1c51ae7688273f931",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "ef892d2bf4f3fa2c8de1677dd307e678bdd3d865",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "15afebb9597449c444801d1ff0b8d8b311f950ab",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "bc812574de633cf9a9ad6974490e45f6a4bb5126",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "e09a096104fc65859422817fb2211f35855983fe",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "9127d1e90c90e5960c8bc72a4ce2c209691a7021",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "c2ca015ac109fd743fdde27933d59dc5ad46658e",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "025e880759c279ec64d0f754fe65bf45961da864",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/orangefs/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix xattr related buffer overflow...\n\nWilly Tarreau \u003cw@1wt.eu\u003e forwarded me a message from\nDisclosure \u003cdisclosure@aisle.com\u003e with the following\nwarning:\n\n\u003e The helper `xattr_key()` uses the pointer variable in the loop condition\n\u003e rather than dereferencing it. As `key` is incremented, it remains non-NULL\n\u003e (until it runs into unmapped memory), so the loop does not terminate on\n\u003e valid C strings and will walk memory indefinitely, consuming CPU or hanging\n\u003e the thread.\n\nI easily reproduced this with setfattr and getfattr, causing a kernel\noops, hung user processes and corrupted orangefs files. Disclosure\nsent along a diff (not a patch) with a suggested fix, which I based\nthis patch on.\n\nAfter xattr_key started working right, xfstest generic/069 exposed an\nxattr related memory leak that lead to OOM. xattr_key returns\na hashed key. When adding xattrs to the orangefs xattr cache, orangefs\nused hash_add, a kernel hashing macro. hash_add also hashes the key using\nhash_log which resulted in additions to the xattr cache going to the wrong\nhash bucket. generic/069 tortures a single file and orangefs does a\ngetattr for the xattr \"security.capability\" every time. Orangefs\nnegative caches on xattrs which includes a kmalloc. Since adds to the\nxattr cache were going to the wrong bucket, every getattr for\n\"security.capability\" resulted in another kmalloc, none of which were\never freed.\n\nI changed the two uses of hash_add to hlist_add_head instead\nand the memory leak ceased and generic/069 quit throwing furniture."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:57.401Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931"
},
{
"url": "https://git.kernel.org/stable/c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865"
},
{
"url": "https://git.kernel.org/stable/c/15afebb9597449c444801d1ff0b8d8b311f950ab"
},
{
"url": "https://git.kernel.org/stable/c/bc812574de633cf9a9ad6974490e45f6a4bb5126"
},
{
"url": "https://git.kernel.org/stable/c/e09a096104fc65859422817fb2211f35855983fe"
},
{
"url": "https://git.kernel.org/stable/c/9127d1e90c90e5960c8bc72a4ce2c209691a7021"
},
{
"url": "https://git.kernel.org/stable/c/c2ca015ac109fd743fdde27933d59dc5ad46658e"
},
{
"url": "https://git.kernel.org/stable/c/025e880759c279ec64d0f754fe65bf45961da864"
}
],
"title": "orangefs: fix xattr related buffer overflow...",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40306",
"datePublished": "2025-12-08T00:46:31.514Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:51:57.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68755 (GCVE-0-2025-68755)
Vulnerability from cvelistv5
Published
2026-01-05 09:32
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: most: remove broken i2c driver
The MOST I2C driver has been completely broken for five years without
anyone noticing so remove the driver from staging.
Specifically, commit 723de0f9171e ("staging: most: remove device from
interface structure") started requiring drivers to set the interface
device pointer before registration, but the I2C driver was never updated
which results in a NULL pointer dereference if anyone ever tries to
probe it.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/most/Kconfig",
"drivers/staging/most/Makefile",
"drivers/staging/most/i2c/Kconfig",
"drivers/staging/most/i2c/Makefile",
"drivers/staging/most/i2c/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cbba922934805f86eece6ba7010b7201962695d",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "6059a66dba7f26b21852831432e17075f1a1c783",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "e463548fd80e779efea1cb2d3049b8a7231e6925",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "495df2da6944477d282d5cc0c13174d06e25b310",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/most/Kconfig",
"drivers/staging/most/Makefile",
"drivers/staging/most/i2c/Kconfig",
"drivers/staging/most/i2c/Makefile",
"drivers/staging/most/i2c/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: most: remove broken i2c driver\n\nThe MOST I2C driver has been completely broken for five years without\nanyone noticing so remove the driver from staging.\n\nSpecifically, commit 723de0f9171e (\"staging: most: remove device from\ninterface structure\") started requiring drivers to set the interface\ndevice pointer before registration, but the I2C driver was never updated\nwhich results in a NULL pointer dereference if anyone ever tries to\nprobe it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:59.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cbba922934805f86eece6ba7010b7201962695d"
},
{
"url": "https://git.kernel.org/stable/c/6059a66dba7f26b21852831432e17075f1a1c783"
},
{
"url": "https://git.kernel.org/stable/c/e463548fd80e779efea1cb2d3049b8a7231e6925"
},
{
"url": "https://git.kernel.org/stable/c/495df2da6944477d282d5cc0c13174d06e25b310"
}
],
"title": "staging: most: remove broken i2c driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68755",
"datePublished": "2026-01-05T09:32:29.149Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:32:59.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23063 (GCVE-0-2026-23063)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: ensure safe queue release with state management
Directly calling `put_queue` carries risks since it cannot
guarantee that resources of `uacce_queue` have been fully released
beforehand. So adding a `stop_queue` operation for the
UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to
the final resource release ensures safety.
Queue states are defined as follows:
- UACCE_Q_ZOMBIE: Initial state
- UACCE_Q_INIT: After opening `uacce`
- UACCE_Q_STARTED: After `start` is issued via `ioctl`
When executing `poweroff -f` in virt while accelerator are still
working, `uacce_fops_release` and `uacce_remove` may execute
concurrently. This can cause `uacce_put_queue` within
`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add
state checks to prevent accessing freed pointers.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b457abeb5d962db88aaf60e249402fd3073dbfab",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "8b57bf1d3b1db692f34bce694a03e41be79f6016",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "336fb41a186e7c0415ae94fec9e23d1f04b87483",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "43f233eb6e7b9d88536881a9bc43726d0e34800d",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "47634d70073890c9c37e39ab4ff93d4b585b028a",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "92e4f11e29b98ef424ff72d6371acac03e5d973c",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "26c08dabe5475d99a13f353d8dd70e518de45663",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: ensure safe queue release with state management\n\nDirectly calling `put_queue` carries risks since it cannot\nguarantee that resources of `uacce_queue` have been fully released\nbeforehand. So adding a `stop_queue` operation for the\nUACCE_CMD_PUT_Q command and leaving the `put_queue` operation to\nthe final resource release ensures safety.\n\nQueue states are defined as follows:\n- UACCE_Q_ZOMBIE: Initial state\n- UACCE_Q_INIT: After opening `uacce`\n- UACCE_Q_STARTED: After `start` is issued via `ioctl`\n\nWhen executing `poweroff -f` in virt while accelerator are still\nworking, `uacce_fops_release` and `uacce_remove` may execute\nconcurrently. This can cause `uacce_put_queue` within\n`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add\nstate checks to prevent accessing freed pointers."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:02.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab"
},
{
"url": "https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016"
},
{
"url": "https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483"
},
{
"url": "https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d"
},
{
"url": "https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a"
},
{
"url": "https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c"
},
{
"url": "https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663"
}
],
"title": "uacce: ensure safe queue release with state management",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23063",
"datePublished": "2026-02-04T16:07:45.426Z",
"dateReserved": "2026-01-13T15:37:45.953Z",
"dateUpdated": "2026-02-09T08:38:02.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23071 (GCVE-0-2026-23071)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap: Fix race condition in hwspinlock irqsave routine
Previously, the address of the shared member '&map->spinlock_flags' was
passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race
condition where multiple contexts contending for the lock could overwrite
the shared flags variable, potentially corrupting the state for the
current lock owner.
Fix this by using a local stack variable 'flags' to store the IRQ state
temporarily.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8698b9364710e7bac84b3af07dd410e39c8c2e08 Version: 8698b9364710e7bac84b3af07dd410e39c8c2e08 Version: 8698b9364710e7bac84b3af07dd410e39c8c2e08 Version: 8698b9364710e7bac84b3af07dd410e39c8c2e08 Version: 8698b9364710e7bac84b3af07dd410e39c8c2e08 Version: 8698b9364710e7bac84b3af07dd410e39c8c2e08 Version: 8698b9364710e7bac84b3af07dd410e39c8c2e08 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "766e243ae8c8b27087a4cc605752c0d5ee2daeab",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "f1e2fe26a51eca95b41420af76d22c2e613efd5e",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "24f31be6ad70537fd7706269d99c92cade465a09",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "4aab0ca0a0f7760e33edcb4e47576064d05128f5",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "c2d2cf710dc3ee1a69e00b4ed8de607a92a07889",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
},
{
"lessThan": "4b58aac989c1e3fafb1c68a733811859df388250",
"status": "affected",
"version": "8698b9364710e7bac84b3af07dd410e39c8c2e08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: Fix race condition in hwspinlock irqsave routine\n\nPreviously, the address of the shared member \u0027\u0026map-\u003espinlock_flags\u0027 was\npassed directly to \u0027hwspin_lock_timeout_irqsave\u0027. This creates a race\ncondition where multiple contexts contending for the lock could overwrite\nthe shared flags variable, potentially corrupting the state for the\ncurrent lock owner.\n\nFix this by using a local stack variable \u0027flags\u0027 to store the IRQ state\ntemporarily."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:10.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5"
},
{
"url": "https://git.kernel.org/stable/c/766e243ae8c8b27087a4cc605752c0d5ee2daeab"
},
{
"url": "https://git.kernel.org/stable/c/f1e2fe26a51eca95b41420af76d22c2e613efd5e"
},
{
"url": "https://git.kernel.org/stable/c/24f31be6ad70537fd7706269d99c92cade465a09"
},
{
"url": "https://git.kernel.org/stable/c/4aab0ca0a0f7760e33edcb4e47576064d05128f5"
},
{
"url": "https://git.kernel.org/stable/c/c2d2cf710dc3ee1a69e00b4ed8de607a92a07889"
},
{
"url": "https://git.kernel.org/stable/c/4b58aac989c1e3fafb1c68a733811859df388250"
}
],
"title": "regmap: Fix race condition in hwspinlock irqsave routine",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23071",
"datePublished": "2026-02-04T16:07:51.603Z",
"dateReserved": "2026-01-13T15:37:45.955Z",
"dateUpdated": "2026-02-09T08:38:10.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39996 (GCVE-0-2025-39996)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
The original code uses cancel_delayed_work() in flexcop_pci_remove(), which
does not guarantee that the delayed work item irq_check_work has fully
completed if it was already running. This leads to use-after-free scenarios
where flexcop_pci_remove() may free the flexcop_device while irq_check_work
is still active and attempts to dereference the device.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
flexcop_pci_remove() | flexcop_pci_irq_check_work()
cancel_delayed_work() |
flexcop_device_kfree(fc_pci->fc_dev) |
| fc = fc_pci->fc_dev; // UAF
This is confirmed by a KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff8880093aa8c8 by task bash/135
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? __pfx___run_timer_base.part.0+0x10/0x10
? __pfx_read_tsc+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
run_timer_softirq+0xd1/0x190
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 1:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x1be/0x460
flexcop_device_kmalloc+0x54/0xe0
flexcop_pci_probe+0x1f/0x9d0
local_pci_probe+0xdc/0x190
pci_device_probe+0x2fe/0x470
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__driver_attach+0xd2/0x310
bus_for_each_dev+0xed/0x170
bus_add_driver+0x208/0x500
driver_register+0x132/0x460
do_one_initcall+0x89/0x300
kernel_init_freeable+0x40d/0x720
kernel_init+0x1a/0x150
ret_from_fork+0x10c/0x1a0
ret_from_fork_asm+0x1a/0x30
Freed by task 135:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
flexcop_device_kfree+0x32/0x50
pci_device_remove+0xa6/0x1d0
device_release_driver_internal+0xf8/0x210
pci_stop_bus_device+0x105/0x150
pci_stop_and_remove_bus_device_locked+0x15/0x30
remove_store+0xcc/0xe0
kernfs_fop_write_iter+0x2c3/0x440
vfs_write+0x871/0xd70
ksys_write+0xee/0x1c0
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing delayed
work has finished before the device memory is deallocated.
This bug was initially identified through static analysis. To reproduce
and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced
artificial delays within the flexcop_pci_irq_check_work() function to
increase the likelihood of triggering the bug.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf Version: 382c5546d618f24dc7d6ae7ca33412083720efbf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/b2c2/flexcop-pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "607010d07b8a509b01ed15ea12744acac6536a98",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "bde8173def374230226e8554efb51b271f4066ec",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "d502df8a716d993fa0f9d8c00684f1190750e28e",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "bb10a9ddc8d6c5dbf098f21eb1055a652652e524",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "514a519baa9e2be7ddc2714bd730bc5a883e1244",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "3ffabc79388e68877d9c02f724a0b7a38d519daf",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "6a92f5796880f5aa345f0fed53ef511e3fd6f706",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
},
{
"lessThan": "01e03fb7db419d39e18d6090d4873c1bff103914",
"status": "affected",
"version": "382c5546d618f24dc7d6ae7ca33412083720efbf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/b2c2/flexcop-pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove\n\nThe original code uses cancel_delayed_work() in flexcop_pci_remove(), which\ndoes not guarantee that the delayed work item irq_check_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere flexcop_pci_remove() may free the flexcop_device while irq_check_work\nis still active and attempts to dereference the device.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nflexcop_pci_remove() | flexcop_pci_irq_check_work()\n cancel_delayed_work() |\n flexcop_device_kfree(fc_pci-\u003efc_dev) |\n | fc = fc_pci-\u003efc_dev; // UAF\n\nThis is confirmed by a KASAN report:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff8880093aa8c8 by task bash/135\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\n\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x1be/0x460\n flexcop_device_kmalloc+0x54/0xe0\n flexcop_pci_probe+0x1f/0x9d0\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 135:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n flexcop_device_kfree+0x32/0x50\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing delayed\nwork has finished before the device memory is deallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced\nartificial delays within the flexcop_pci_irq_check_work() function to\nincrease the likelihood of triggering the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:07.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/607010d07b8a509b01ed15ea12744acac6536a98"
},
{
"url": "https://git.kernel.org/stable/c/bde8173def374230226e8554efb51b271f4066ec"
},
{
"url": "https://git.kernel.org/stable/c/120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b"
},
{
"url": "https://git.kernel.org/stable/c/d502df8a716d993fa0f9d8c00684f1190750e28e"
},
{
"url": "https://git.kernel.org/stable/c/bb10a9ddc8d6c5dbf098f21eb1055a652652e524"
},
{
"url": "https://git.kernel.org/stable/c/514a519baa9e2be7ddc2714bd730bc5a883e1244"
},
{
"url": "https://git.kernel.org/stable/c/3ffabc79388e68877d9c02f724a0b7a38d519daf"
},
{
"url": "https://git.kernel.org/stable/c/6a92f5796880f5aa345f0fed53ef511e3fd6f706"
},
{
"url": "https://git.kernel.org/stable/c/01e03fb7db419d39e18d6090d4873c1bff103914"
}
],
"title": "media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39996",
"datePublished": "2025-10-15T07:58:21.049Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:07.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68369 (GCVE-0-2025-68369)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: init run lock for extend inode
After setting the inode mode of $Extend to a regular file, executing the
truncate system call will enter the do_truncate() routine, causing the
run_lock uninitialized error reported by syzbot.
Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to
a regular file, the do_truncate() routine would not be entered.
Add the run_lock initialization when loading $Extend.
syzbot reported:
INFO: trying to register non-static key.
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
__lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 63eb6730ce0604d3eacf036c2f68ea70b068317c Version: 78d46f5276ed3589aaaa435580068c5b62efc921 Version: 17249b2a65274f73ed68bcd1604e08a60fd8a278 Version: 37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7 Version: 57534db1bbc4ca772393bb7d92e69d5e7b9051cf Version: 4e8011ffec79717e5fdac43a7e79faf811a384b7 Version: 4e8011ffec79717e5fdac43a7e79faf811a384b7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79c8a77b1782e2ace96d063be3c41ba540d1e20a",
"status": "affected",
"version": "63eb6730ce0604d3eacf036c2f68ea70b068317c",
"versionType": "git"
},
{
"lessThan": "433d1f7c628c3cbdd7efce064d6c7acd072cf6c4",
"status": "affected",
"version": "78d46f5276ed3589aaaa435580068c5b62efc921",
"versionType": "git"
},
{
"lessThan": "907bf69c6b6ce5d038eec7a599d67b45b62624bc",
"status": "affected",
"version": "17249b2a65274f73ed68bcd1604e08a60fd8a278",
"versionType": "git"
},
{
"lessThan": "6e17555728bc469d484c59db4a0abc65c19bc315",
"status": "affected",
"version": "37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7",
"versionType": "git"
},
{
"lessThan": "19164d8228317f3f1fe2662a9ba587cfe3b2d29e",
"status": "affected",
"version": "57534db1bbc4ca772393bb7d92e69d5e7b9051cf",
"versionType": "git"
},
{
"lessThan": "ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076",
"status": "affected",
"version": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"versionType": "git"
},
{
"lessThan": "be99c62ac7e7af514e4b13f83c891a3cccefaa48",
"status": "affected",
"version": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: init run lock for extend inode\n\nAfter setting the inode mode of $Extend to a regular file, executing the\ntruncate system call will enter the do_truncate() routine, causing the\nrun_lock uninitialized error reported by syzbot.\n\nPrior to patch 4e8011ffec79, if the inode mode of $Extend was not set to\na regular file, the do_truncate() routine would not be entered.\n\nAdd the run_lock initialization when loading $Extend.\n\nsyzbot reported:\nINFO: trying to register non-static key.\nCall Trace:\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984\n register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299\n __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590\n ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860\n ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387\n ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:06.264Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79c8a77b1782e2ace96d063be3c41ba540d1e20a"
},
{
"url": "https://git.kernel.org/stable/c/433d1f7c628c3cbdd7efce064d6c7acd072cf6c4"
},
{
"url": "https://git.kernel.org/stable/c/907bf69c6b6ce5d038eec7a599d67b45b62624bc"
},
{
"url": "https://git.kernel.org/stable/c/6e17555728bc469d484c59db4a0abc65c19bc315"
},
{
"url": "https://git.kernel.org/stable/c/19164d8228317f3f1fe2662a9ba587cfe3b2d29e"
},
{
"url": "https://git.kernel.org/stable/c/ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076"
},
{
"url": "https://git.kernel.org/stable/c/be99c62ac7e7af514e4b13f83c891a3cccefaa48"
}
],
"title": "ntfs3: init run lock for extend inode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68369",
"datePublished": "2025-12-24T10:32:55.440Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-02-09T08:32:06.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40188 (GCVE-0-2025-40188)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pwm: berlin: Fix wrong register in suspend/resume
The 'enable' register should be BERLIN_PWM_EN rather than
BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there
will be cpu exception then kernel panic during suspend/resume.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-berlin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da3cadb8b0f35d845b3e2fbb7d978cf6473fd221",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "9ee5eb3d09217f115f63b7c102d110ccdb1b26af",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "fd017aabd4273216ed4223f17991fc087163771f",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "dc3a1c6237e7f8046e6d4109bcf1998452ccafad",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "d9457e6258750692c3b27f80880a613178053c25",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "6cef9e4425143b19742044c8a675335821fa1994",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "3a4b9d027e4061766f618292df91760ea64a1fcc",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-berlin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: berlin: Fix wrong register in suspend/resume\n\nThe \u0027enable\u0027 register should be BERLIN_PWM_EN rather than\nBERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there\nwill be cpu exception then kernel panic during suspend/resume."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:46.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da3cadb8b0f35d845b3e2fbb7d978cf6473fd221"
},
{
"url": "https://git.kernel.org/stable/c/5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444"
},
{
"url": "https://git.kernel.org/stable/c/9ee5eb3d09217f115f63b7c102d110ccdb1b26af"
},
{
"url": "https://git.kernel.org/stable/c/fd017aabd4273216ed4223f17991fc087163771f"
},
{
"url": "https://git.kernel.org/stable/c/dc3a1c6237e7f8046e6d4109bcf1998452ccafad"
},
{
"url": "https://git.kernel.org/stable/c/d9457e6258750692c3b27f80880a613178053c25"
},
{
"url": "https://git.kernel.org/stable/c/6cef9e4425143b19742044c8a675335821fa1994"
},
{
"url": "https://git.kernel.org/stable/c/3a4b9d027e4061766f618292df91760ea64a1fcc"
}
],
"title": "pwm: berlin: Fix wrong register in suspend/resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40188",
"datePublished": "2025-11-12T21:56:30.108Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:46.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71135 (GCVE-0-2025-71135)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()
The variable mddev->private is first assigned to conf and then checked:
conf = mddev->private;
if (!conf) ...
If conf is NULL, then mddev->private is also NULL. In this case,
null-pointer dereferences can occur when calling raid5_quiesce():
raid5_quiesce(mddev, true);
raid5_quiesce(mddev, false);
since mddev->private is assigned to conf again in raid5_quiesce(), and conf
is dereferenced in several places, for example:
conf->quiesce = 0;
wake_up(&conf->wait_for_quiescent);
To fix this issue, the function should unlock mddev and return before
invoking raid5_quiesce() when conf is NULL, following the existing pattern
in raid5_change_consistency_policy().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20597b7229aea8b5bc45cd92097640257c7fc33b",
"status": "affected",
"version": "be19e6e4339d1579d5f2fae8ce4facf9521dbbfc",
"versionType": "git"
},
{
"lessThan": "e5abb6af905de6b2fead8a0b3f32ab0b81468a01",
"status": "affected",
"version": "fa1944bbe6220eb929e2c02e5e8706b908565711",
"versionType": "git"
},
{
"lessThan": "7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9",
"status": "affected",
"version": "fa1944bbe6220eb929e2c02e5e8706b908565711",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()\n\nThe variable mddev-\u003eprivate is first assigned to conf and then checked:\n\n conf = mddev-\u003eprivate;\n if (!conf) ...\n\nIf conf is NULL, then mddev-\u003eprivate is also NULL. In this case,\nnull-pointer dereferences can occur when calling raid5_quiesce():\n\n raid5_quiesce(mddev, true);\n raid5_quiesce(mddev, false);\n\nsince mddev-\u003eprivate is assigned to conf again in raid5_quiesce(), and conf\nis dereferenced in several places, for example:\n\n conf-\u003equiesce = 0;\n wake_up(\u0026conf-\u003ewait_for_quiescent);\n\nTo fix this issue, the function should unlock mddev and return before\ninvoking raid5_quiesce() when conf is NULL, following the existing pattern\nin raid5_change_consistency_policy()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:31.701Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20597b7229aea8b5bc45cd92097640257c7fc33b"
},
{
"url": "https://git.kernel.org/stable/c/e5abb6af905de6b2fead8a0b3f32ab0b81468a01"
},
{
"url": "https://git.kernel.org/stable/c/7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9"
}
],
"title": "md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71135",
"datePublished": "2026-01-14T15:07:49.891Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-02-09T08:35:31.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71199 (GCVE-0-2025-71199)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
at91_adc_interrupt can call at91_adc_touch_data_handler function
to start the work by schedule_work(&st->touch_st.workq).
If we remove the module which will call at91_adc_remove to
make cleanup, it will free indio_dev through iio_device_unregister but
quite a bit later. While the work mentioned above will be used. The
sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| at91_adc_workq_handler
at91_adc_remove |
iio_device_unregister(indio_dev) |
//free indio_dev a bit later |
| iio_push_to_buffers(indio_dev)
| //use indio_dev
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in at91_adc_remove.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e Version: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e Version: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e Version: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e Version: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e Version: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e Version: 23ec2774f1cc168b1f32a2e0ed2709cb473bb94e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/at91-sama5d2_adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c83dd62595ee7b7c9298a4d19a256b6647e7240",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "fdc8c835c637a3473878d1e7438c77ab8928af63",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "919d176b05776c7ede79c36744c823a07d631617",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "9795fe80976f8c31cafda7d44edfc0f532d1f7c4",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "d890234a91570542c228a20f132ce74f9fedd904",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
},
{
"lessThan": "dbdb442218cd9d613adeab31a88ac973f22c4873",
"status": "affected",
"version": "23ec2774f1cc168b1f32a2e0ed2709cb473bb94e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/at91-sama5d2_adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver\n\nat91_adc_interrupt can call at91_adc_touch_data_handler function\nto start the work by schedule_work(\u0026st-\u003etouch_st.workq).\n\nIf we remove the module which will call at91_adc_remove to\nmake cleanup, it will free indio_dev through iio_device_unregister but\nquite a bit later. While the work mentioned above will be used. The\nsequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | at91_adc_workq_handler\nat91_adc_remove |\niio_device_unregister(indio_dev) |\n//free indio_dev a bit later |\n | iio_push_to_buffers(indio_dev)\n | //use indio_dev\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in at91_adc_remove."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:24.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c83dd62595ee7b7c9298a4d19a256b6647e7240"
},
{
"url": "https://git.kernel.org/stable/c/fdc8c835c637a3473878d1e7438c77ab8928af63"
},
{
"url": "https://git.kernel.org/stable/c/919d176b05776c7ede79c36744c823a07d631617"
},
{
"url": "https://git.kernel.org/stable/c/9795fe80976f8c31cafda7d44edfc0f532d1f7c4"
},
{
"url": "https://git.kernel.org/stable/c/d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe"
},
{
"url": "https://git.kernel.org/stable/c/d890234a91570542c228a20f132ce74f9fedd904"
},
{
"url": "https://git.kernel.org/stable/c/dbdb442218cd9d613adeab31a88ac973f22c4873"
}
],
"title": "iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71199",
"datePublished": "2026-02-04T16:07:34.062Z",
"dateReserved": "2026-01-31T11:36:51.192Z",
"dateUpdated": "2026-02-09T08:36:24.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71153 (GCVE-0-2025-71153)
Vulnerability from cvelistv5
Published
2026-01-23 14:25
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Fix memory leak in get_file_all_info()
In get_file_all_info(), if vfs_getattr() fails, the function returns
immediately without freeing the allocated filename, leading to a memory
leak.
Fix this by freeing the filename before returning in this error case.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c8f7ad2df083c510e640c0bf76166593cc116ff2 Version: 5614c8c487f6af627614dd2efca038e4afe0c6d7 Version: 5614c8c487f6af627614dd2efca038e4afe0c6d7 Version: 5614c8c487f6af627614dd2efca038e4afe0c6d7 Version: f9278ba4967027ad2bf001694f0e489c7bbae6d5 Version: 88779f09295d82b86601fe42595748488bf5e20c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5012b4c812230ae066902a00442708c999111183",
"status": "affected",
"version": "c8f7ad2df083c510e640c0bf76166593cc116ff2",
"versionType": "git"
},
{
"lessThan": "676907004256e0226c7ed3691db9f431404ca258",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"lessThan": "d026f47db68638521df8543535ef863814fb01b1",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"lessThan": "0c56693b06a68476ba113db6347e7897475f9e4c",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"status": "affected",
"version": "f9278ba4967027ad2bf001694f0e489c7bbae6d5",
"versionType": "git"
},
{
"status": "affected",
"version": "88779f09295d82b86601fe42595748488bf5e20c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix memory leak in get_file_all_info()\n\nIn get_file_all_info(), if vfs_getattr() fails, the function returns\nimmediately without freeing the allocated filename, leading to a memory\nleak.\n\nFix this by freeing the filename before returning in this error case."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:50.707Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183"
},
{
"url": "https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258"
},
{
"url": "https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1"
},
{
"url": "https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c"
}
],
"title": "ksmbd: Fix memory leak in get_file_all_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71153",
"datePublished": "2026-01-23T14:25:52.988Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:50.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68345 (GCVE-0-2025-68345)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
The acpi_get_first_physical_node() function can return NULL, in which
case the get_device() function also returns NULL, but this value is
then dereferenced without checking,so add a check to prevent a crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7b2f3eb492dac7665c75df067e4d8e4869589f4a Version: 7b2f3eb492dac7665c75df067e4d8e4869589f4a Version: 7b2f3eb492dac7665c75df067e4d8e4869589f4a Version: 7b2f3eb492dac7665c75df067e4d8e4869589f4a Version: 7b2f3eb492dac7665c75df067e4d8e4869589f4a Version: 7b2f3eb492dac7665c75df067e4d8e4869589f4a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e63f9c81ca28b06eeeac3630faddc50717897351",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "7a35a505d76a4b6cd426b59ff2d800d0394cc5d3",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "e6ba921b17797ccc545d80e0dbccb5fab91c248c",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c28946b7409b7b68fb0481ec738c8b04578b11c6",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "343fa9800cf9870ec681e21f0a6f2157b74ae520",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c34b04cc6178f33c08331568c7fd25c5b9a39f66",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()\n\nThe acpi_get_first_physical_node() function can return NULL, in which\ncase the get_device() function also returns NULL, but this value is\nthen dereferenced without checking,so add a check to prevent a crash.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:34.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e63f9c81ca28b06eeeac3630faddc50717897351"
},
{
"url": "https://git.kernel.org/stable/c/7a35a505d76a4b6cd426b59ff2d800d0394cc5d3"
},
{
"url": "https://git.kernel.org/stable/c/e6ba921b17797ccc545d80e0dbccb5fab91c248c"
},
{
"url": "https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6"
},
{
"url": "https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520"
},
{
"url": "https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66"
}
],
"title": "ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68345",
"datePublished": "2025-12-24T10:32:38.378Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-02-09T08:31:34.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68734 (GCVE-0-2025-68734)
Vulnerability from cvelistv5
Published
2025-12-24 10:58
Modified
2025-12-24 10:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when
setup_instance() fails with an error code. Fix that by freeing the urb
before freeing the hw structure. Also change the error paths to use the
goto ladder style.
Compile tested only. Issue found using a prototype static analysis tool.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 69f52adb2d534afc41fcc658f155e01f0b322f9e Version: 69f52adb2d534afc41fcc658f155e01f0b322f9e Version: 69f52adb2d534afc41fcc658f155e01f0b322f9e Version: 69f52adb2d534afc41fcc658f155e01f0b322f9e Version: 69f52adb2d534afc41fcc658f155e01f0b322f9e Version: 69f52adb2d534afc41fcc658f155e01f0b322f9e Version: 69f52adb2d534afc41fcc658f155e01f0b322f9e Version: 69f52adb2d534afc41fcc658f155e01f0b322f9e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "475032fa2bb82ffb592c321885e917e39f47357f",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "adb7577e23a431fc53aa1b6107733c0d751015fb",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "b70c24827e11fdc71465f9207e974526fb457bb9",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "3f7c72bc73c4e542fde14cce017549d8a0b61a3c",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "03695541b3349bc40bf5d6563d44d6147fb20260",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "6dce43433e0635e7b00346bc937b69ce48ea71bb",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "ea7936304ed74ab7f965d17f942a173ce91a5ca8",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "3f978e3f1570155a1327ffa25f60968bc7b9398f",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()\n\nIn hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when\nsetup_instance() fails with an error code. Fix that by freeing the urb\nbefore freeing the hw structure. Also change the error paths to use the\ngoto ladder style.\n\nCompile tested only. Issue found using a prototype static analysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:58:49.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/475032fa2bb82ffb592c321885e917e39f47357f"
},
{
"url": "https://git.kernel.org/stable/c/adb7577e23a431fc53aa1b6107733c0d751015fb"
},
{
"url": "https://git.kernel.org/stable/c/b70c24827e11fdc71465f9207e974526fb457bb9"
},
{
"url": "https://git.kernel.org/stable/c/3f7c72bc73c4e542fde14cce017549d8a0b61a3c"
},
{
"url": "https://git.kernel.org/stable/c/03695541b3349bc40bf5d6563d44d6147fb20260"
},
{
"url": "https://git.kernel.org/stable/c/6dce43433e0635e7b00346bc937b69ce48ea71bb"
},
{
"url": "https://git.kernel.org/stable/c/ea7936304ed74ab7f965d17f942a173ce91a5ca8"
},
{
"url": "https://git.kernel.org/stable/c/3f978e3f1570155a1327ffa25f60968bc7b9398f"
}
],
"title": "isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68734",
"datePublished": "2025-12-24T10:58:49.938Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2025-12-24T10:58:49.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68770 (GCVE-0-2025-68770)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix XDP_TX path
For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not
correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be
looping within NAPI and some event flags may be set in earlier
iterations. In particular, if BNXT_TX_EVENT is set earlier indicating
some XDP_TX packets are ready and pending, it will be cleared if it is
XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we
successfully call __bnxt_xmit_xdp(). But if the TX ring has no more
room, the flag will not be set. This will cause the TX producer to be
ahead but the driver will not hit the TX doorbell.
For multi-buf XDP_TX, there is no need to clear the event flags and set
BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in
bnxt_rx_pkt().
The visible symptom of this is that the RX ring associated with the
TX XDP ring will eventually become empty and all packets will be dropped.
Because this condition will cause the driver to not refill the RX ring
seeing that the TX ring has forever pending XDP_TX packets.
The fix is to only clear BNXT_RX_EVENT when we have successfully
called __bnxt_xmit_xdp().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b83902a1e67ff327ab5c6c65021a03e72c081d6",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
},
{
"lessThan": "f17e0c1208485b24d61271bc1ddc8f2087e71561",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
},
{
"lessThan": "0373d5c387f24de749cc22e694a14b3a7c7eb515",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix XDP_TX path\n\nFor XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not\ncorrect. __bnxt_poll_work() -\u003e bnxt_rx_pkt() -\u003e bnxt_rx_xdp() may be\nlooping within NAPI and some event flags may be set in earlier\niterations. In particular, if BNXT_TX_EVENT is set earlier indicating\nsome XDP_TX packets are ready and pending, it will be cleared if it is\nXDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we\nsuccessfully call __bnxt_xmit_xdp(). But if the TX ring has no more\nroom, the flag will not be set. This will cause the TX producer to be\nahead but the driver will not hit the TX doorbell.\n\nFor multi-buf XDP_TX, there is no need to clear the event flags and set\nBNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in\nbnxt_rx_pkt().\n\nThe visible symptom of this is that the RX ring associated with the\nTX XDP ring will eventually become empty and all packets will be dropped.\nBecause this condition will cause the driver to not refill the RX ring\nseeing that the TX ring has forever pending XDP_TX packets.\n\nThe fix is to only clear BNXT_RX_EVENT when we have successfully\ncalled __bnxt_xmit_xdp()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:15.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b83902a1e67ff327ab5c6c65021a03e72c081d6"
},
{
"url": "https://git.kernel.org/stable/c/f17e0c1208485b24d61271bc1ddc8f2087e71561"
},
{
"url": "https://git.kernel.org/stable/c/0373d5c387f24de749cc22e694a14b3a7c7eb515"
}
],
"title": "bnxt_en: Fix XDP_TX path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68770",
"datePublished": "2026-01-13T15:28:48.604Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:15.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23047 (GCVE-0-2026-23047)
Vulnerability from cvelistv5
Published
2026-02-04 16:00
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make calc_target() set t->paused, not just clear it
Currently calc_target() clears t->paused if the request shouldn't be
paused anymore, but doesn't ever set t->paused even though it's able to
determine when the request should be paused. Setting t->paused is left
to __submit_request() which is fine for regular requests but doesn't
work for linger requests -- since __submit_request() doesn't operate
on linger requests, there is nowhere for lreq->t.paused to be set.
One consequence of this is that watches don't get reestablished on
paused -> unpaused transitions in cases where requests have been paused
long enough for the (paused) unwatch request to time out and for the
subsequent (re)watch request to enter the paused state. On top of the
watch not getting reestablished, rbd_reregister_watch() gets stuck with
rbd_dev->watch_mutex held:
rbd_register_watch
__rbd_register_watch
ceph_osdc_watch
linger_reg_commit_wait
It's waiting for lreq->reg_commit_wait to be completed, but for that to
happen the respective request needs to end up on need_resend_linger list
and be kicked when requests are unpaused. There is no chance for that
if the request in question is never marked paused in the first place.
The fact that rbd_dev->watch_mutex remains taken out forever then
prevents the image from getting unmapped -- "rbd unmap" would inevitably
hang in D state on an attempt to grab the mutex.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 922dab6134178cae317ae00de86376cba59f3147 Version: 922dab6134178cae317ae00de86376cba59f3147 Version: 922dab6134178cae317ae00de86376cba59f3147 Version: 922dab6134178cae317ae00de86376cba59f3147 Version: 922dab6134178cae317ae00de86376cba59f3147 Version: 922dab6134178cae317ae00de86376cba59f3147 Version: 922dab6134178cae317ae00de86376cba59f3147 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b3329b3c29d9e188e40d902d5230c2d5989b940",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "5d0dc83cb9a69c1d0bea58f1c430199b05f6b021",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "4d3399c52e0e61720ae898f5a0b5b75d4460ae24",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "4ebc711b738d139cabe2fc9e7e7749847676a342",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "6f468f6ff233c6a81e0e761d9124e982903fe9a5",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "5647d42c47b535573b63e073e91164d6a5bb058c",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
},
{
"lessThan": "c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176",
"status": "affected",
"version": "922dab6134178cae317ae00de86376cba59f3147",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make calc_target() set t-\u003epaused, not just clear it\n\nCurrently calc_target() clears t-\u003epaused if the request shouldn\u0027t be\npaused anymore, but doesn\u0027t ever set t-\u003epaused even though it\u0027s able to\ndetermine when the request should be paused. Setting t-\u003epaused is left\nto __submit_request() which is fine for regular requests but doesn\u0027t\nwork for linger requests -- since __submit_request() doesn\u0027t operate\non linger requests, there is nowhere for lreq-\u003et.paused to be set.\nOne consequence of this is that watches don\u0027t get reestablished on\npaused -\u003e unpaused transitions in cases where requests have been paused\nlong enough for the (paused) unwatch request to time out and for the\nsubsequent (re)watch request to enter the paused state. On top of the\nwatch not getting reestablished, rbd_reregister_watch() gets stuck with\nrbd_dev-\u003ewatch_mutex held:\n\n rbd_register_watch\n __rbd_register_watch\n ceph_osdc_watch\n linger_reg_commit_wait\n\nIt\u0027s waiting for lreq-\u003ereg_commit_wait to be completed, but for that to\nhappen the respective request needs to end up on need_resend_linger list\nand be kicked when requests are unpaused. There is no chance for that\nif the request in question is never marked paused in the first place.\n\nThe fact that rbd_dev-\u003ewatch_mutex remains taken out forever then\nprevents the image from getting unmapped -- \"rbd unmap\" would inevitably\nhang in D state on an attempt to grab the mutex."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:42.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940"
},
{
"url": "https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021"
},
{
"url": "https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24"
},
{
"url": "https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342"
},
{
"url": "https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5"
},
{
"url": "https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c"
},
{
"url": "https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176"
}
],
"title": "libceph: make calc_target() set t-\u003epaused, not just clear it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23047",
"datePublished": "2026-02-04T16:00:29.475Z",
"dateReserved": "2026-01-13T15:37:45.944Z",
"dateUpdated": "2026-02-09T08:37:42.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68259 (GCVE-0-2025-68259)
Vulnerability from cvelistv5
Published
2025-12-16 14:45
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn
instruction, discard the exception and retry the instruction if the code
stream is changed (e.g. by a different vCPU) between when the CPU
executes the instruction and when KVM decodes the instruction to get the
next RIP.
As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject
INT3/INTO instead of retrying the instruction"), failure to verify that
the correct INTn instruction was decoded can effectively clobber guest
state due to decoding the wrong instruction and thus specifying the
wrong next RIP.
The bug most often manifests as "Oops: int3" panics on static branch
checks in Linux guests. Enabling or disabling a static branch in Linux
uses the kernel's "text poke" code patching mechanism. To modify code
while other CPUs may be executing that code, Linux (temporarily)
replaces the first byte of the original instruction with an int3 (opcode
0xcc), then patches in the new code stream except for the first byte,
and finally replaces the int3 with the first byte of the new code
stream. If a CPU hits the int3, i.e. executes the code while it's being
modified, then the guest kernel must look up the RIP to determine how to
handle the #BP, e.g. by emulating the new instruction. If the RIP is
incorrect, then this lookup fails and the guest kernel panics.
The bug reproduces almost instantly by hacking the guest kernel to
repeatedly check a static branch[1] while running a drgn script[2] on
the host to constantly swap out the memory containing the guest's TSS.
[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a
[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 Version: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 Version: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 Version: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 Version: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 Version: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e84a018c2895c05abe213eb10db128aa45f6ec6",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "152289a51107ef45bbfe9b4aeeaa584a503042b5",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "87cc1622c88a4888959d64fa1fc9ba1e264aa3d4",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "54bcccc2c7805a00af1d7d2faffd6f424c0133aa",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "53903ac9ca1abffa27327e85075ec496fa55ccf3",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "4da3768e1820cf15cced390242d8789aed34f54d",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced\n\nWhen re-injecting a soft interrupt from an INT3, INT0, or (select) INTn\ninstruction, discard the exception and retry the instruction if the code\nstream is changed (e.g. by a different vCPU) between when the CPU\nexecutes the instruction and when KVM decodes the instruction to get the\nnext RIP.\n\nAs effectively predicted by commit 6ef88d6e36c2 (\"KVM: SVM: Re-inject\nINT3/INTO instead of retrying the instruction\"), failure to verify that\nthe correct INTn instruction was decoded can effectively clobber guest\nstate due to decoding the wrong instruction and thus specifying the\nwrong next RIP.\n\nThe bug most often manifests as \"Oops: int3\" panics on static branch\nchecks in Linux guests. Enabling or disabling a static branch in Linux\nuses the kernel\u0027s \"text poke\" code patching mechanism. To modify code\nwhile other CPUs may be executing that code, Linux (temporarily)\nreplaces the first byte of the original instruction with an int3 (opcode\n0xcc), then patches in the new code stream except for the first byte,\nand finally replaces the int3 with the first byte of the new code\nstream. If a CPU hits the int3, i.e. executes the code while it\u0027s being\nmodified, then the guest kernel must look up the RIP to determine how to\nhandle the #BP, e.g. by emulating the new instruction. If the RIP is\nincorrect, then this lookup fails and the guest kernel panics.\n\nThe bug reproduces almost instantly by hacking the guest kernel to\nrepeatedly check a static branch[1] while running a drgn script[2] on\nthe host to constantly swap out the memory containing the guest\u0027s TSS.\n\n[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a\n[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:17.727Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e84a018c2895c05abe213eb10db128aa45f6ec6"
},
{
"url": "https://git.kernel.org/stable/c/152289a51107ef45bbfe9b4aeeaa584a503042b5"
},
{
"url": "https://git.kernel.org/stable/c/87cc1622c88a4888959d64fa1fc9ba1e264aa3d4"
},
{
"url": "https://git.kernel.org/stable/c/54bcccc2c7805a00af1d7d2faffd6f424c0133aa"
},
{
"url": "https://git.kernel.org/stable/c/53903ac9ca1abffa27327e85075ec496fa55ccf3"
},
{
"url": "https://git.kernel.org/stable/c/4da3768e1820cf15cced390242d8789aed34f54d"
}
],
"title": "KVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68259",
"datePublished": "2025-12-16T14:45:01.753Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:17.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38129 (GCVE-0-2025-38129)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2026-01-19 12:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: Fix use-after-free in page_pool_recycle_in_ring
syzbot reported a uaf in page_pool_recycle_in_ring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]
_raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]
page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]
page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826
page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]
page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]
napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036
skb_pp_recycle net/core/skbuff.c:1047 [inline]
skb_free_head net/core/skbuff.c:1094 [inline]
skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242
kfree_skb_reason include/linux/skbuff.h:1263 [inline]
__skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]
root cause is:
page_pool_recycle_in_ring
ptr_ring_produce
spin_lock(&r->producer_lock);
WRITE_ONCE(r->queue[r->producer++], ptr)
//recycle last page to pool
page_pool_release
page_pool_scrub
page_pool_empty_ring
ptr_ring_consume
page_pool_return_page //release all page
__page_pool_destroy
free_percpu(pool->recycle_stats);
free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf read
recycle_stat_inc(pool, ring);
page_pool can be free while page pool recycle the last page in ring.
Add producer-lock barrier to page_pool_release to prevent the page
pool from being free before all pages have been recycled.
recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not
enabled, which will trigger Wempty-body build warning. Add definition
for pool stat macro to fix warning.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "1a8c0b61d4cb55c5440583ec9e7f86a730369e32",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "4914c0a166540e534a0c1d43affd329d95fb56fd",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "e869a85acc2e60dc554579b910826a4919d8cd98",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "4ab8c0f8905c9c4d05e7f437e65a9a365573ff02",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "271683bb2cf32e5126c592b5d5e6a756fa374fd9",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n ptr_ring_produce\n spin_lock(\u0026r-\u003eproducer_lock);\n WRITE_ONCE(r-\u003equeue[r-\u003eproducer++], ptr)\n //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t page_pool_scrub\n\t\t\t\t page_pool_empty_ring\n\t\t\t\t ptr_ring_consume\n\t\t\t\t page_pool_return_page //release all page\n\t\t\t\t __page_pool_destroy\n\t\t\t\t free_percpu(pool-\u003erecycle_stats);\n\t\t\t\t free(pool) //free\n\n spin_unlock(\u0026r-\u003eproducer_lock); //pool-\u003ering uaf read\n recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:00.706Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8"
},
{
"url": "https://git.kernel.org/stable/c/1a8c0b61d4cb55c5440583ec9e7f86a730369e32"
},
{
"url": "https://git.kernel.org/stable/c/4914c0a166540e534a0c1d43affd329d95fb56fd"
},
{
"url": "https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98"
},
{
"url": "https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02"
},
{
"url": "https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9"
}
],
"title": "page_pool: Fix use-after-free in page_pool_recycle_in_ring",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38129",
"datePublished": "2025-07-03T08:35:33.728Z",
"dateReserved": "2025-04-16T04:51:23.987Z",
"dateUpdated": "2026-01-19T12:18:00.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40211 (GCVE-0-2025-40211)
Vulnerability from cvelistv5
Published
2025-11-21 10:21
Modified
2025-12-06 21:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
The switch_brightness_work delayed work accesses device->brightness
and device->backlight, freed by acpi_video_dev_unregister_backlight()
during device removal.
If the work executes after acpi_video_bus_unregister_backlight()
frees these resources, it causes a use-after-free when
acpi_video_switch_brightness() dereferences device->brightness or
device->backlight.
Fix this by calling cancel_delayed_work_sync() for each device's
switch_brightness_work in acpi_video_bus_remove_notify_handler()
after removing the notify handler that queues the work. This ensures
the work completes before the memory is freed.
[ rjw: Changelog edit ]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 Version: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 Version: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 Version: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 Version: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 Version: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 Version: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 Version: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f803ccf5a0c043e7c8b83f6665b082401fc8bee",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "ba1704316492a0496c69334338ea1fdbf4c2fd34",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "bc78a4f51d548c1ccc3d1967c2b394bf687c86e9",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "4e85246ec0d019dfba86ba54d841ef6694f97149",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "de5fc93275a4a459fe2f7cb746984f2ab3e8292a",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "293125536ef5521328815fa7c76d5f9eb1635659",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "8f067aa59430266386b83c18b983ca583faa6a11",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: Fix use-after-free in acpi_video_switch_brightness()\n\nThe switch_brightness_work delayed work accesses device-\u003ebrightness\nand device-\u003ebacklight, freed by acpi_video_dev_unregister_backlight()\nduring device removal.\n\nIf the work executes after acpi_video_bus_unregister_backlight()\nfrees these resources, it causes a use-after-free when\nacpi_video_switch_brightness() dereferences device-\u003ebrightness or\ndevice-\u003ebacklight.\n\nFix this by calling cancel_delayed_work_sync() for each device\u0027s\nswitch_brightness_work in acpi_video_bus_remove_notify_handler()\nafter removing the notify handler that queues the work. This ensures\nthe work completes before the memory is freed.\n\n[ rjw: Changelog edit ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:42.455Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f803ccf5a0c043e7c8b83f6665b082401fc8bee"
},
{
"url": "https://git.kernel.org/stable/c/ba1704316492a0496c69334338ea1fdbf4c2fd34"
},
{
"url": "https://git.kernel.org/stable/c/bc78a4f51d548c1ccc3d1967c2b394bf687c86e9"
},
{
"url": "https://git.kernel.org/stable/c/a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9"
},
{
"url": "https://git.kernel.org/stable/c/4e85246ec0d019dfba86ba54d841ef6694f97149"
},
{
"url": "https://git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a"
},
{
"url": "https://git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659"
},
{
"url": "https://git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11"
}
],
"title": "ACPI: video: Fix use-after-free in acpi_video_switch_brightness()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40211",
"datePublished": "2025-11-21T10:21:36.438Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-06T21:38:42.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40027 (GCVE-0-2025-40027)
Vulnerability from cvelistv5
Published
2025-10-28 09:32
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/9p: fix double req put in p9_fd_cancelled
Syzkaller reports a KASAN issue as below:
general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]
CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__list_del include/linux/list.h:114 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]
RIP: 0010:list_del include/linux/list.h:148 [inline]
RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734
Call Trace:
<TASK>
p9_client_flush+0x351/0x440 net/9p/client.c:614
p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734
p9_client_version net/9p/client.c:920 [inline]
p9_client_create+0xb51/0x1240 net/9p/client.c:1027
v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408
v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126
legacy_get_tree+0x108/0x220 fs/fs_context.c:632
vfs_get_tree+0x8e/0x300 fs/super.c:1573
do_new_mount fs/namespace.c:3056 [inline]
path_mount+0x6a6/0x1e90 fs/namespace.c:3386
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
This happens because of a race condition between:
- The 9p client sending an invalid flush request and later cleaning it up;
- The 9p client in p9_read_work() canceled all pending requests.
Thread 1 Thread 2
...
p9_client_create()
...
p9_fd_create()
...
p9_conn_create()
...
// start Thread 2
INIT_WORK(&m->rq, p9_read_work);
p9_read_work()
...
p9_client_rpc()
...
...
p9_conn_cancel()
...
spin_lock(&m->req_lock);
...
p9_fd_cancelled()
...
...
spin_unlock(&m->req_lock);
// status rewrite
p9_client_cb(m->client, req, REQ_STATUS_ERROR)
// first remove
list_del(&req->req_list);
...
spin_lock(&m->req_lock)
...
// second remove
list_del(&req->req_list);
spin_unlock(&m->req_lock)
...
Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in
p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem
client where the req_list could be deleted simultaneously by both
p9_read_work and p9_fd_cancelled functions, but for the case where req->status
equals REQ_STATUS_RCVD.
Update the check for req->status in p9_fd_cancelled to skip processing not
just received requests, but anything that is not SENT, as whatever
changed the state from SENT also removed the request from its list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
[updated the check from status == RECV || status == ERROR to status != SENT]
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: afd8d65411551839b7ab14a539d00075b2793451 Version: afd8d65411551839b7ab14a539d00075b2793451 Version: afd8d65411551839b7ab14a539d00075b2793451 Version: afd8d65411551839b7ab14a539d00075b2793451 Version: afd8d65411551839b7ab14a539d00075b2793451 Version: afd8d65411551839b7ab14a539d00075b2793451 Version: afd8d65411551839b7ab14a539d00075b2793451 Version: afd8d65411551839b7ab14a539d00075b2793451 Version: afd8d65411551839b7ab14a539d00075b2793451 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5901a0dfb5964525990106706ae8b98db098226",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "5c64c0b7b3446f7ed088a13bc8d7487d66534cbb",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "c1db864270eb7fea94a9ef201da0c9dc1cbab7b8",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "0e0097005abc02c9f262370674f855625f4f3fb4",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "284e67a93b8c48952b6fc82129a8d3eb9dc73b06",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "448db01a48e1cdbbc31c995716a5dac1e52ba036",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "94797b84cb9985022eb9cb3275c9497fbc883bb6",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "674b56aa57f9379854cb6798c3bbcef7e7b51ab7",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix double req put in p9_fd_cancelled\n\nSyzkaller reports a KASAN issue as below:\n\ngeneral protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]\nCPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:__list_del include/linux/list.h:114 [inline]\nRIP: 0010:__list_del_entry include/linux/list.h:137 [inline]\nRIP: 0010:list_del include/linux/list.h:148 [inline]\nRIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734\n\nCall Trace:\n \u003cTASK\u003e\n p9_client_flush+0x351/0x440 net/9p/client.c:614\n p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734\n p9_client_version net/9p/client.c:920 [inline]\n p9_client_create+0xb51/0x1240 net/9p/client.c:1027\n v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408\n v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126\n legacy_get_tree+0x108/0x220 fs/fs_context.c:632\n vfs_get_tree+0x8e/0x300 fs/super.c:1573\n do_new_mount fs/namespace.c:3056 [inline]\n path_mount+0x6a6/0x1e90 fs/namespace.c:3386\n do_mount fs/namespace.c:3399 [inline]\n __do_sys_mount fs/namespace.c:3607 [inline]\n __se_sys_mount fs/namespace.c:3584 [inline]\n __x64_sys_mount+0x283/0x300 fs/namespace.c:3584\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nThis happens because of a race condition between:\n\n- The 9p client sending an invalid flush request and later cleaning it up;\n- The 9p client in p9_read_work() canceled all pending requests.\n\n Thread 1 Thread 2\n ...\n p9_client_create()\n ...\n p9_fd_create()\n ...\n p9_conn_create()\n ...\n // start Thread 2\n INIT_WORK(\u0026m-\u003erq, p9_read_work);\n p9_read_work()\n ...\n p9_client_rpc()\n ...\n ...\n p9_conn_cancel()\n ...\n spin_lock(\u0026m-\u003ereq_lock);\n ...\n p9_fd_cancelled()\n ...\n ...\n spin_unlock(\u0026m-\u003ereq_lock);\n // status rewrite\n p9_client_cb(m-\u003eclient, req, REQ_STATUS_ERROR)\n // first remove\n list_del(\u0026req-\u003ereq_list);\n ...\n\n spin_lock(\u0026m-\u003ereq_lock)\n ...\n // second remove\n list_del(\u0026req-\u003ereq_list);\n spin_unlock(\u0026m-\u003ereq_lock)\n ...\n\nCommit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in\np9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem\nclient where the req_list could be deleted simultaneously by both\np9_read_work and p9_fd_cancelled functions, but for the case where req-\u003estatus\nequals REQ_STATUS_RCVD.\n\nUpdate the check for req-\u003estatus in p9_fd_cancelled to skip processing not\njust received requests, but anything that is not SENT, as whatever\nchanged the state from SENT also removed the request from its list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\n[updated the check from status == RECV || status == ERROR to status != SENT]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:29.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5901a0dfb5964525990106706ae8b98db098226"
},
{
"url": "https://git.kernel.org/stable/c/5c64c0b7b3446f7ed088a13bc8d7487d66534cbb"
},
{
"url": "https://git.kernel.org/stable/c/c1db864270eb7fea94a9ef201da0c9dc1cbab7b8"
},
{
"url": "https://git.kernel.org/stable/c/0e0097005abc02c9f262370674f855625f4f3fb4"
},
{
"url": "https://git.kernel.org/stable/c/284e67a93b8c48952b6fc82129a8d3eb9dc73b06"
},
{
"url": "https://git.kernel.org/stable/c/716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6"
},
{
"url": "https://git.kernel.org/stable/c/448db01a48e1cdbbc31c995716a5dac1e52ba036"
},
{
"url": "https://git.kernel.org/stable/c/94797b84cb9985022eb9cb3275c9497fbc883bb6"
},
{
"url": "https://git.kernel.org/stable/c/674b56aa57f9379854cb6798c3bbcef7e7b51ab7"
}
],
"title": "net/9p: fix double req put in p9_fd_cancelled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40027",
"datePublished": "2025-10-28T09:32:34.162Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:29.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39951 (GCVE-0-2025-39951)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
um: virtio_uml: Fix use-after-free after put_device in probe
When register_virtio_device() fails in virtio_uml_probe(),
the code sets vu_dev->registered = 1 even though
the device was not successfully registered.
This can lead to use-after-free or other issues.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 04e5b1fb01834a602acaae2276b67a783a8c6159 Version: 04e5b1fb01834a602acaae2276b67a783a8c6159 Version: 04e5b1fb01834a602acaae2276b67a783a8c6159 Version: 04e5b1fb01834a602acaae2276b67a783a8c6159 Version: 04e5b1fb01834a602acaae2276b67a783a8c6159 Version: 04e5b1fb01834a602acaae2276b67a783a8c6159 Version: 04e5b1fb01834a602acaae2276b67a783a8c6159 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/um/drivers/virtio_uml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14c231959a16ca41bfdcaede72483362a8c645d7",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "5e94e44c9cb30d7a383d8ac227f24a8c9326b770",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "aaf900a83508c8cd5cdf765e7749f9076196ec7f",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "4f364023ddcfe83f7073b973a9cb98584b7f2a46",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "00e98b5a69034b251bb36dc6e7123d7648e218e4",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "c2ff91255e0157b356cff115d8dc3eeb5162edf2",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
},
{
"lessThan": "7ebf70cf181651fe3f2e44e95e7e5073d594c9c0",
"status": "affected",
"version": "04e5b1fb01834a602acaae2276b67a783a8c6159",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/um/drivers/virtio_uml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\num: virtio_uml: Fix use-after-free after put_device in probe\n\nWhen register_virtio_device() fails in virtio_uml_probe(),\nthe code sets vu_dev-\u003eregistered = 1 even though\nthe device was not successfully registered.\nThis can lead to use-after-free or other issues."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:07.273Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14c231959a16ca41bfdcaede72483362a8c645d7"
},
{
"url": "https://git.kernel.org/stable/c/5e94e44c9cb30d7a383d8ac227f24a8c9326b770"
},
{
"url": "https://git.kernel.org/stable/c/aaf900a83508c8cd5cdf765e7749f9076196ec7f"
},
{
"url": "https://git.kernel.org/stable/c/4f364023ddcfe83f7073b973a9cb98584b7f2a46"
},
{
"url": "https://git.kernel.org/stable/c/00e98b5a69034b251bb36dc6e7123d7648e218e4"
},
{
"url": "https://git.kernel.org/stable/c/c2ff91255e0157b356cff115d8dc3eeb5162edf2"
},
{
"url": "https://git.kernel.org/stable/c/7ebf70cf181651fe3f2e44e95e7e5073d594c9c0"
}
],
"title": "um: virtio_uml: Fix use-after-free after put_device in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39951",
"datePublished": "2025-10-04T07:31:11.684Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:07.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68814 (GCVE-0-2025-68814)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix filename leak in __io_openat_prep()
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
the memory for the newly allocated struct filename is not cleaned up,
causing a memory leak.
Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
successful getname() call, so that when the request is torn down, the
filename will be cleaned up, along with other resources needing cleanup.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b9445598d8c60a1379887b957024b71343965f74 Version: b9445598d8c60a1379887b957024b71343965f74 Version: b9445598d8c60a1379887b957024b71343965f74 Version: b9445598d8c60a1379887b957024b71343965f74 Version: b9445598d8c60a1379887b957024b71343965f74 Version: b9445598d8c60a1379887b957024b71343965f74 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/openclose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2420ef01b2e836fbc05a0a8c73a1016504eb0458",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "8f44c4a550570cd5903625133f938c6b51310c9b",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "18b99fa603d0df5e1c898699c17d3b92ddc80746",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "e232269d511566b1f80872256a48593acc1becf4",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "7fbfb85b05bc960cc50e09d03e5e562131e48d45",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "b14fad555302a2104948feaff70503b64c80ac01",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/openclose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix filename leak in __io_openat_prep()\n\n __io_openat_prep() allocates a struct filename using getname(). However,\nfor the condition of the file being installed in the fixed file table as\nwell as having O_CLOEXEC flag set, the function returns early. At that\npoint, the request doesn\u0027t have REQ_F_NEED_CLEANUP flag set. Due to this,\nthe memory for the newly allocated struct filename is not cleaned up,\ncausing a memory leak.\n\nFix this by setting the REQ_F_NEED_CLEANUP for the request just after the\nsuccessful getname() call, so that when the request is torn down, the\nfilename will be cleaned up, along with other resources needing cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:04.016Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458"
},
{
"url": "https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b"
},
{
"url": "https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746"
},
{
"url": "https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4"
},
{
"url": "https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45"
},
{
"url": "https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01"
}
],
"title": "io_uring: fix filename leak in __io_openat_prep()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68814",
"datePublished": "2026-01-13T15:29:19.129Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:04.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71146 (GCVE-0-2025-71146)
Vulnerability from cvelistv5
Published
2026-01-23 14:15
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conncount: fix leaked ct in error paths
There are some situations where ct might be leaked as error paths are
skipping the refcounted check and return immediately. In order to solve
it make sure that the check is always called.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6e86f0eca857ee42787e30e9ec0b726aebfcae0a Version: b160895d6bc9690459b16ef87799c9bd456af3ec Version: 8d5a2c94c24dcc226863a7c2b5034750370c2189 Version: da9f247fb5efcd5a2730cdc989291b383c439e10 Version: 3558faee8aace3541189c3a2ca45c7e85e144b44 Version: f6904ed15ed1a188543057e3cb0d02daa80edfc9 Version: be102eb6a0e7c03db00e50540622f4e43b2d2844 Version: 8c2da7330214ce30f8333d1799a27ed0a9418f07 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08fa37f4c8c59c294e9c18fea2d083ee94074e5a",
"status": "affected",
"version": "6e86f0eca857ee42787e30e9ec0b726aebfcae0a",
"versionType": "git"
},
{
"lessThan": "e1ac8dce3a893641bef224ad057932f142b8a36f",
"status": "affected",
"version": "b160895d6bc9690459b16ef87799c9bd456af3ec",
"versionType": "git"
},
{
"lessThan": "f381a33f34dda9e4023e38ba68c943bca83245e9",
"status": "affected",
"version": "8d5a2c94c24dcc226863a7c2b5034750370c2189",
"versionType": "git"
},
{
"lessThan": "325eb61bb30790ea27782203a17b007ce1754a67",
"status": "affected",
"version": "da9f247fb5efcd5a2730cdc989291b383c439e10",
"versionType": "git"
},
{
"lessThan": "0b88be7211d21a0d68bb1e56dc805944e3654d6f",
"status": "affected",
"version": "3558faee8aace3541189c3a2ca45c7e85e144b44",
"versionType": "git"
},
{
"lessThan": "4bd2b89f4028f250dd1c1625eb3da1979b04a5e8",
"status": "affected",
"version": "f6904ed15ed1a188543057e3cb0d02daa80edfc9",
"versionType": "git"
},
{
"lessThan": "2e2a720766886190a6d35c116794693aabd332b6",
"status": "affected",
"version": "be102eb6a0e7c03db00e50540622f4e43b2d2844",
"versionType": "git"
},
{
"status": "affected",
"version": "8c2da7330214ce30f8333d1799a27ed0a9418f07",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThan": "6.18.3",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: fix leaked ct in error paths\n\nThere are some situations where ct might be leaked as error paths are\nskipping the refcounted check and return immediately. In order to solve\nit make sure that the check is always called."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:42.849Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a"
},
{
"url": "https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f"
},
{
"url": "https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9"
},
{
"url": "https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67"
},
{
"url": "https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f"
},
{
"url": "https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8"
},
{
"url": "https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6"
}
],
"title": "netfilter: nf_conncount: fix leaked ct in error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71146",
"datePublished": "2026-01-23T14:15:12.998Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-02-09T08:35:42.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71182 (GCVE-0-2025-71182)
Vulnerability from cvelistv5
Published
2026-01-31 11:38
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: make j1939_session_activate() fail if device is no longer registered
syzbot is still reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
even after commit 93a27b5891b8 ("can: j1939: add missing calls in
NETDEV_UNREGISTER notification handler") was added. A debug printk() patch
found that j1939_session_activate() can succeed even after
j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)
has completed.
Since j1939_cancel_active_session() is processed with the session list lock
held, checking ndev->reg_state in j1939_session_activate() with the session
list lock held can reliably close the race window.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c Version: 9d71dd0c70099914fcd063135da3c580865e924c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ebb0dfd718dd31c8d3600612ca4b7207ec3d923a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "c3a4316e3c746af415c0fd6c6d489ad13f53714d",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "46ca9dc978923c5e1247a9e9519240ba7ace413c",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "78d87b72cebe2a993fd5b017e9f14fb6278f2eae",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "79dd3f1d9dd310c2af89b09c71f34d93973b200f",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "5d5602236f5db19e8b337a2cd87a90ace5ea776d",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: make j1939_session_activate() fail if device is no longer registered\n\nsyzbot is still reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\neven after commit 93a27b5891b8 (\"can: j1939: add missing calls in\nNETDEV_UNREGISTER notification handler\") was added. A debug printk() patch\nfound that j1939_session_activate() can succeed even after\nj1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)\nhas completed.\n\nSince j1939_cancel_active_session() is processed with the session list lock\nheld, checking ndev-\u003ereg_state in j1939_session_activate() with the session\nlist lock held can reliably close the race window."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:06.320Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ebb0dfd718dd31c8d3600612ca4b7207ec3d923a"
},
{
"url": "https://git.kernel.org/stable/c/c3a4316e3c746af415c0fd6c6d489ad13f53714d"
},
{
"url": "https://git.kernel.org/stable/c/46ca9dc978923c5e1247a9e9519240ba7ace413c"
},
{
"url": "https://git.kernel.org/stable/c/78d87b72cebe2a993fd5b017e9f14fb6278f2eae"
},
{
"url": "https://git.kernel.org/stable/c/ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536"
},
{
"url": "https://git.kernel.org/stable/c/79dd3f1d9dd310c2af89b09c71f34d93973b200f"
},
{
"url": "https://git.kernel.org/stable/c/5d5602236f5db19e8b337a2cd87a90ace5ea776d"
}
],
"title": "can: j1939: make j1939_session_activate() fail if device is no longer registered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71182",
"datePublished": "2026-01-31T11:38:55.157Z",
"dateReserved": "2026-01-31T11:36:51.185Z",
"dateUpdated": "2026-02-09T08:36:06.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22999 (GCVE-0-2026-22999)
Vulnerability from cvelistv5
Published
2026-01-25 14:36
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Fixes qfq_change_class() error case.
cl->qdisc and cl should only be freed if a new class and qdisc
were allocated, or we risk various UAF.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "cff6cd703f41d8071995956142729e4bba160363",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "f06f7635499bc806cbe2bbc8805c7cef8b1edddf",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "0a234660dc70ce45d771cbc76b20d925b73ec160",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "362e269bb03f7076ba9990e518aeddb898232e50",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "e9d8f11652fa08c647bf7bba7dd8163241a332cd",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "3879cffd9d07aa0377c4b8835c4f64b4fb24ac78",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl-\u003eqdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:51.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e"
},
{
"url": "https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363"
},
{
"url": "https://git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddf"
},
{
"url": "https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160"
},
{
"url": "https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50"
},
{
"url": "https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd"
},
{
"url": "https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78"
}
],
"title": "net/sched: sch_qfq: do not free existing class in qfq_change_class()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22999",
"datePublished": "2026-01-25T14:36:13.909Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:51.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40322 (GCVE-0-2025-40322)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: bitblit: bound-check glyph index in bit_putcs*
bit_putcs_aligned()/unaligned() derived the glyph pointer from the
character value masked by 0xff/0x1ff, which may exceed the actual font's
glyph count and read past the end of the built-in font array.
Clamp the index to the actual glyph count before computing the address.
This fixes a global out-of-bounds read reported by syzbot.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a10cede006f9614b465cf25609a8753efbfd45cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0998a6cb232674408a03e8561dc15aa266b2f53b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db5c9a162d2f42bcc842b76b3d935dcc050a0eec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c12003bf91fdff381c55ef54fef3e961a5af2545",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ba1a7802ca9a2590cef95b253e6526f4364477f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "901f44227072be60812fe8083e83e1533c04eed1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efaf89a75a29b2d179bf4fe63ca62852e93ad620",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18c4ef4e765a798b47980555ed665d78b71aeadf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: bitblit: bound-check glyph index in bit_putcs*\n\nbit_putcs_aligned()/unaligned() derived the glyph pointer from the\ncharacter value masked by 0xff/0x1ff, which may exceed the actual font\u0027s\nglyph count and read past the end of the built-in font array.\nClamp the index to the actual glyph count before computing the address.\n\nThis fixes a global out-of-bounds read reported by syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:34.750Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a10cede006f9614b465cf25609a8753efbfd45cc"
},
{
"url": "https://git.kernel.org/stable/c/0998a6cb232674408a03e8561dc15aa266b2f53b"
},
{
"url": "https://git.kernel.org/stable/c/db5c9a162d2f42bcc842b76b3d935dcc050a0eec"
},
{
"url": "https://git.kernel.org/stable/c/c12003bf91fdff381c55ef54fef3e961a5af2545"
},
{
"url": "https://git.kernel.org/stable/c/9ba1a7802ca9a2590cef95b253e6526f4364477f"
},
{
"url": "https://git.kernel.org/stable/c/901f44227072be60812fe8083e83e1533c04eed1"
},
{
"url": "https://git.kernel.org/stable/c/efaf89a75a29b2d179bf4fe63ca62852e93ad620"
},
{
"url": "https://git.kernel.org/stable/c/18c4ef4e765a798b47980555ed665d78b71aeadf"
}
],
"title": "fbdev: bitblit: bound-check glyph index in bit_putcs*",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40322",
"datePublished": "2025-12-08T00:46:49.773Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:34.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39986 (GCVE-0-2025-39986)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, sun4ican_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN frame.
This can result in a buffer overflow. The driver will consume cf->len
as-is with no further checks on this line:
dlc = cf->len;
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs a
couple line below when doing:
for (i = 0; i < dlc; i++)
writel(cf->data[i], priv->base + (dreg + i * 4));
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 Version: 0738eff14d817a02ab082c392c96a1613006f158 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/sun4i_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "063539db42203b29d5aa2adf0cae3d68c646a6b6",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "4f382cc887adca8478b9d3e6b81aa6698a95fff4",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "60463a1c138900494cb3adae41142a11cd8feb3c",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "a61ff7ac93270d20ca426c027d6d01c8ac8e904c",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "2e423e1990f3972cbea779883fef52c2f2acb858",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "de77841652e57afbc46e9e1dbf51ee364fc008e1",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "7f7b21026a6febdb749f6f6f950427245aa86cce",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
},
{
"lessThan": "61da0bd4102c459823fbe6b8b43b01fb6ace4a22",
"status": "affected",
"version": "0738eff14d817a02ab082c392c96a1613006f158",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/sun4i_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the sun4i_can driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, sun4ican_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN frame.\n\nThis can result in a buffer overflow. The driver will consume cf-\u003elen\nas-is with no further checks on this line:\n\n\tdlc = cf-\u003elen;\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs a\ncouple line below when doing:\n\n\tfor (i = 0; i \u003c dlc; i++)\n\t\twritel(cf-\u003edata[i], priv-\u003ebase + (dreg + i * 4));\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:05.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/063539db42203b29d5aa2adf0cae3d68c646a6b6"
},
{
"url": "https://git.kernel.org/stable/c/4f382cc887adca8478b9d3e6b81aa6698a95fff4"
},
{
"url": "https://git.kernel.org/stable/c/60463a1c138900494cb3adae41142a11cd8feb3c"
},
{
"url": "https://git.kernel.org/stable/c/a61ff7ac93270d20ca426c027d6d01c8ac8e904c"
},
{
"url": "https://git.kernel.org/stable/c/2e423e1990f3972cbea779883fef52c2f2acb858"
},
{
"url": "https://git.kernel.org/stable/c/de77841652e57afbc46e9e1dbf51ee364fc008e1"
},
{
"url": "https://git.kernel.org/stable/c/7f7b21026a6febdb749f6f6f950427245aa86cce"
},
{
"url": "https://git.kernel.org/stable/c/61da0bd4102c459823fbe6b8b43b01fb6ace4a22"
}
],
"title": "can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39986",
"datePublished": "2025-10-15T07:56:05.143Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:05.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38234 (GCVE-0-2025-38234)
Vulnerability from cvelistv5
Published
2025-07-04 13:37
Modified
2026-02-12 08:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/rt: Fix race in push_rt_task
Overview
========
When a CPU chooses to call push_rt_task and picks a task to push to
another CPU's runqueue then it will call find_lock_lowest_rq method
which would take a double lock on both CPUs' runqueues. If one of the
locks aren't readily available, it may lead to dropping the current
runqueue lock and reacquiring both the locks at once. During this window
it is possible that the task is already migrated and is running on some
other CPU. These cases are already handled. However, if the task is
migrated and has already been executed and another CPU is now trying to
wake it up (ttwu) such that it is queued again on the runqeue
(on_rq is 1) and also if the task was run by the same CPU, then the
current checks will pass even though the task was migrated out and is no
longer in the pushable tasks list.
Crashes
=======
This bug resulted in quite a few flavors of crashes triggering kernel
panics with various crash signatures such as assert failures, page
faults, null pointer dereferences, and queue corruption errors all
coming from scheduler itself.
Some of the crashes:
-> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? pick_next_task_rt+0x6e/0x1d0
? do_error_trap+0x64/0xa0
? pick_next_task_rt+0x6e/0x1d0
? exc_invalid_op+0x4c/0x60
? pick_next_task_rt+0x6e/0x1d0
? asm_exc_invalid_op+0x12/0x20
? pick_next_task_rt+0x6e/0x1d0
__schedule+0x5cb/0x790
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: kernel NULL pointer dereference, address: 00000000000000c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? __warn+0x8a/0xe0
? exc_page_fault+0x3d6/0x520
? asm_exc_page_fault+0x1e/0x30
? pick_next_task_rt+0xb5/0x1d0
? pick_next_task_rt+0x8c/0x1d0
__schedule+0x583/0x7e0
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: unable to handle page fault for address: ffff9464daea5900
kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p))
-> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? dequeue_top_rt_rq+0xa2/0xb0
? do_error_trap+0x64/0xa0
? dequeue_top_rt_rq+0xa2/0xb0
? exc_invalid_op+0x4c/0x60
? dequeue_top_rt_rq+0xa2/0xb0
? asm_exc_invalid_op+0x12/0x20
? dequeue_top_rt_rq+0xa2/0xb0
dequeue_rt_entity+0x1f/0x70
dequeue_task_rt+0x2d/0x70
__schedule+0x1a8/0x7e0
? blk_finish_plug+0x25/0x40
schedule+0x3c/0xb0
futex_wait_queue_me+0xb6/0x120
futex_wait+0xd9/0x240
do_futex+0x344/0xa90
? get_mm_exe_file+0x30/0x60
? audit_exe_compare+0x58/0x70
? audit_filter_rules.constprop.26+0x65e/0x1220
__x64_sys_futex+0x148/0x1f0
do_syscall_64+0x30/0x80
entry_SYSCALL_64_after_hwframe+0x62/0xc7
-> BUG: unable to handle page fault for address: ffff8cf3608bc2c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? spurious_kernel_fault+0x171/0x1c0
? exc_page_fault+0x3b6/0x520
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? asm_exc_page_fault+0x1e/0x30
? _cond_resched+0x15/0x30
? futex_wait_queue_me+0xc8/0x120
? futex_wait+0xd9/0x240
? try_to_wake_up+0x1b8/0x490
? futex_wake+0x78/0x160
? do_futex+0xcd/0xa90
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? plist_del+0x6a/0xd0
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? dequeue_pushable_task+0x20/0x70
? __schedule+0x382/0x7e0
? asm_sysvec_reschedule_i
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/rt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f6022b2573ae068793810db719e131df3ded405",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "debfbc047196df1f6bfd52f2d028c21dce67f0de",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "07ecabfbca64f4f0b6071cf96e49d162fa9d138d",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
},
{
"lessThan": "690e47d1403e90b7f2366f03b52ed3304194c793",
"status": "affected",
"version": "e8fa136262e1121288bb93befe2295928ffd240d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/rt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/rt: Fix race in push_rt_task\n\nOverview\n========\nWhen a CPU chooses to call push_rt_task and picks a task to push to\nanother CPU\u0027s runqueue then it will call find_lock_lowest_rq method\nwhich would take a double lock on both CPUs\u0027 runqueues. If one of the\nlocks aren\u0027t readily available, it may lead to dropping the current\nrunqueue lock and reacquiring both the locks at once. During this window\nit is possible that the task is already migrated and is running on some\nother CPU. These cases are already handled. However, if the task is\nmigrated and has already been executed and another CPU is now trying to\nwake it up (ttwu) such that it is queued again on the runqeue\n(on_rq is 1) and also if the task was run by the same CPU, then the\ncurrent checks will pass even though the task was migrated out and is no\nlonger in the pushable tasks list.\n\nCrashes\n=======\nThis bug resulted in quite a few flavors of crashes triggering kernel\npanics with various crash signatures such as assert failures, page\nfaults, null pointer dereferences, and queue corruption errors all\ncoming from scheduler itself.\n\nSome of the crashes:\n-\u003e kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx \u003e= MAX_RT_PRIO)\n Call Trace:\n ? __die_body+0x1a/0x60\n ? die+0x2a/0x50\n ? do_trap+0x85/0x100\n ? pick_next_task_rt+0x6e/0x1d0\n ? do_error_trap+0x64/0xa0\n ? pick_next_task_rt+0x6e/0x1d0\n ? exc_invalid_op+0x4c/0x60\n ? pick_next_task_rt+0x6e/0x1d0\n ? asm_exc_invalid_op+0x12/0x20\n ? pick_next_task_rt+0x6e/0x1d0\n __schedule+0x5cb/0x790\n ? update_ts_time_stats+0x55/0x70\n schedule_idle+0x1e/0x40\n do_idle+0x15e/0x200\n cpu_startup_entry+0x19/0x20\n start_secondary+0x117/0x160\n secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: kernel NULL pointer dereference, address: 00000000000000c0\n Call Trace:\n ? __die_body+0x1a/0x60\n ? no_context+0x183/0x350\n ? __warn+0x8a/0xe0\n ? exc_page_fault+0x3d6/0x520\n ? asm_exc_page_fault+0x1e/0x30\n ? pick_next_task_rt+0xb5/0x1d0\n ? pick_next_task_rt+0x8c/0x1d0\n __schedule+0x583/0x7e0\n ? update_ts_time_stats+0x55/0x70\n schedule_idle+0x1e/0x40\n do_idle+0x15e/0x200\n cpu_startup_entry+0x19/0x20\n start_secondary+0x117/0x160\n secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: unable to handle page fault for address: ffff9464daea5900\n kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq-\u003ecpu != task_cpu(p))\n\n-\u003e kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq-\u003enr_running)\n Call Trace:\n ? __die_body+0x1a/0x60\n ? die+0x2a/0x50\n ? do_trap+0x85/0x100\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? do_error_trap+0x64/0xa0\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? exc_invalid_op+0x4c/0x60\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? asm_exc_invalid_op+0x12/0x20\n ? dequeue_top_rt_rq+0xa2/0xb0\n dequeue_rt_entity+0x1f/0x70\n dequeue_task_rt+0x2d/0x70\n __schedule+0x1a8/0x7e0\n ? blk_finish_plug+0x25/0x40\n schedule+0x3c/0xb0\n futex_wait_queue_me+0xb6/0x120\n futex_wait+0xd9/0x240\n do_futex+0x344/0xa90\n ? get_mm_exe_file+0x30/0x60\n ? audit_exe_compare+0x58/0x70\n ? audit_filter_rules.constprop.26+0x65e/0x1220\n __x64_sys_futex+0x148/0x1f0\n do_syscall_64+0x30/0x80\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\n\n-\u003e BUG: unable to handle page fault for address: ffff8cf3608bc2c0\n Call Trace:\n ? __die_body+0x1a/0x60\n ? no_context+0x183/0x350\n ? spurious_kernel_fault+0x171/0x1c0\n ? exc_page_fault+0x3b6/0x520\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? asm_exc_page_fault+0x1e/0x30\n ? _cond_resched+0x15/0x30\n ? futex_wait_queue_me+0xc8/0x120\n ? futex_wait+0xd9/0x240\n ? try_to_wake_up+0x1b8/0x490\n ? futex_wake+0x78/0x160\n ? do_futex+0xcd/0xa90\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? plist_del+0x6a/0xd0\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? dequeue_pushable_task+0x20/0x70\n ? __schedule+0x382/0x7e0\n ? asm_sysvec_reschedule_i\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T08:19:23.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f6022b2573ae068793810db719e131df3ded405"
},
{
"url": "https://git.kernel.org/stable/c/debfbc047196df1f6bfd52f2d028c21dce67f0de"
},
{
"url": "https://git.kernel.org/stable/c/07ecabfbca64f4f0b6071cf96e49d162fa9d138d"
},
{
"url": "https://git.kernel.org/stable/c/690e47d1403e90b7f2366f03b52ed3304194c793"
}
],
"title": "sched/rt: Fix race in push_rt_task",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38234",
"datePublished": "2025-07-04T13:37:46.960Z",
"dateReserved": "2025-04-16T04:51:23.996Z",
"dateUpdated": "2026-02-12T08:19:23.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68767 (GCVE-0-2025-68767)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: Verify inode mode when loading from disk
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted.
According to [1], the permissions field was treated as reserved in Mac OS
8 and 9. According to [2], the reserved field was explicitly initialized
with 0, and that field must remain 0 as long as reserved. Therefore, when
the "mode" field is not 0 (i.e. no longer reserved), the file must be
S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/
S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f768724aabd5b321c5b8f15acdca11e4781cf32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d92333c7a35856e419500e7eed72dac1afa404a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "001f44982587ad462b3002ee40c75e8df67d597d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "05ec9af3cc430683c97f76027e1c55ac6fd25c59",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "edfb2e602b5ba5ca6bf31cbac20b366efb72b156",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91f114bffa36ce56d0e1f60a0a44fc09baaefc79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "005d4b0d33f6b4a23d382b7930f7a96b95b01f39",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: Verify inode mode when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode-\u003ei_mode can become bogus when\nthe S_IFMT bits of the 16bits \"mode\" field loaded from disk are corrupted.\n\nAccording to [1], the permissions field was treated as reserved in Mac OS\n8 and 9. According to [2], the reserved field was explicitly initialized\nwith 0, and that field must remain 0 as long as reserved. Therefore, when\nthe \"mode\" field is not 0 (i.e. no longer reserved), the file must be\nS_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/\nS_IFBLK/S_IFIFO/S_IFSOCK if dir == 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:12.139Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32"
},
{
"url": "https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5"
},
{
"url": "https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d"
},
{
"url": "https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59"
},
{
"url": "https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156"
},
{
"url": "https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79"
},
{
"url": "https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39"
}
],
"title": "hfsplus: Verify inode mode when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68767",
"datePublished": "2026-01-13T15:28:46.382Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:12.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23074 (GCVE-0-2026-23074)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-04-03 13:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Enforce that teql can only be used as root qdisc
Design intent of teql is that it is only supposed to be used as root qdisc.
We need to check for that constraint.
Although not important, I will describe the scenario that unearthed this
issue for the curious.
GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
ROOT qdisc 1:0 (QFQ)
├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
└── class 1:2 (weight=1, lmax=1514) teql
GangMin sends a packet which is enqueued to 1:1 (netem).
Any invocation of dequeue by QFQ from this class will not return a packet
until after 6.4s. In the meantime, a second packet is sent and it lands on
1:2. teql's enqueue will return success and this will activate class 1:2.
Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
peek always returns NULL), dequeue will never be called and thus the qlen
will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
qlen was not incremented, qfq fails to deactivate the class, but still
frees its pointers from the aggregate. So when the first packet is
rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
accessed causing GangMin's causing a UAF.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_teql.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73d970ff0eddd874a84c953387c7f4464b705fc6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae810e6a8ac4fe25042e6825d2a401207a2e41fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dad49a67c2d817bfec98e6e45121b351e3a0202c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0686bedfed34155520f3f735cbf3210cb9044380",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c7e8aa71c9232cba84c289b4b56cba80b280841",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "16ed73c1282d376b956bff23e5139add061767ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_teql.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Enforce that teql can only be used as root qdisc\n\nDesign intent of teql is that it is only supposed to be used as root qdisc.\nWe need to check for that constraint.\n\nAlthough not important, I will describe the scenario that unearthed this\nissue for the curious.\n\nGangMin Kim \u003ckm.kim1503@gmail.com\u003e managed to concot a scenario as follows:\n\nROOT qdisc 1:0 (QFQ)\n \u251c\u2500\u2500 class 1:1 (weight=15, lmax=16384) netem with delay 6.4s\n \u2514\u2500\u2500 class 1:2 (weight=1, lmax=1514) teql\n\nGangMin sends a packet which is enqueued to 1:1 (netem).\nAny invocation of dequeue by QFQ from this class will not return a packet\nuntil after 6.4s. In the meantime, a second packet is sent and it lands on\n1:2. teql\u0027s enqueue will return success and this will activate class 1:2.\nMain issue is that teql only updates the parent visible qlen (sch-\u003eq.qlen)\nat dequeue. Since QFQ will only call dequeue if peek succeeds (and teql\u0027s\npeek always returns NULL), dequeue will never be called and thus the qlen\nwill remain as 0. With that in mind, when GangMin updates 1:2\u0027s lmax value,\nthe qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc\u0027s\nqlen was not incremented, qfq fails to deactivate the class, but still\nfrees its pointers from the aggregate. So when the first packet is\nrescheduled after 6.4 seconds (netem\u0027s delay), a dangling pointer is\naccessed causing GangMin\u0027s causing a UAF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:31:52.228Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6"
},
{
"url": "https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb"
},
{
"url": "https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c"
},
{
"url": "https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380"
},
{
"url": "https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841"
},
{
"url": "https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba"
},
{
"url": "https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b"
}
],
"title": "net/sched: Enforce that teql can only be used as root qdisc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23074",
"datePublished": "2026-02-04T16:07:59.379Z",
"dateReserved": "2026-01-13T15:37:45.958Z",
"dateUpdated": "2026-04-03T13:31:52.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40219 (GCVE-0-2025-40219)
Vulnerability from cvelistv5
Published
2025-12-04 14:50
Modified
2026-04-13 06:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/IOV: Fix race between SR-IOV enable/disable and hotplug
Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when
enabling/disabling SR-IOV") tried to fix a race between the VF removal
inside sriov_del_vfs() and concurrent hot unplug by taking the PCI
rescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock
was also taken in sriov_add_vfs() to protect addition of VFs.
This approach however causes deadlock on trying to remove PFs with SR-IOV
enabled because PFs disable SR-IOV during removal and this removal happens
under the PCI rescan/remove lock. So the original fix had to be reverted.
Instead of taking the PCI rescan/remove lock in sriov_add_vfs() and
sriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs
hotplug higher up in the callchain by taking the lock in
sriov_numvfs_store() before calling into the driver's sriov_configure()
callback.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 18f9e9d150fccfa747875df6f0a9f606740762b3 Version: 18f9e9d150fccfa747875df6f0a9f606740762b3 Version: 18f9e9d150fccfa747875df6f0a9f606740762b3 Version: 18f9e9d150fccfa747875df6f0a9f606740762b3 Version: 18f9e9d150fccfa747875df6f0a9f606740762b3 Version: 18f9e9d150fccfa747875df6f0a9f606740762b3 Version: 18f9e9d150fccfa747875df6f0a9f606740762b3 Version: 18f9e9d150fccfa747875df6f0a9f606740762b3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/iov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3cddde484471c602bea04e6f384819d336a1ff84",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "d7673ac466eca37ec3e6b7cc9ccdb06de3304e9b",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "7c37920c96b85ef4255a7acc795e99e63dd38d59",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "1047ca2d816994f31e1475e63e0c0b7825599747",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "97c18f074ff1c12d016a0753072a3afdfa0b9611",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "bea1d373098b22d7142da48750ce5526096425bc",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "f3015627b6e9ddf85cfeaf42405b3c194dde2c36",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "a5338e365c4559d7b4d7356116b0eb95b12e08d5",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/iov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/IOV: Fix race between SR-IOV enable/disable and hotplug\n\nCommit 05703271c3cd (\"PCI/IOV: Add PCI rescan-remove locking when\nenabling/disabling SR-IOV\") tried to fix a race between the VF removal\ninside sriov_del_vfs() and concurrent hot unplug by taking the PCI\nrescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock\nwas also taken in sriov_add_vfs() to protect addition of VFs.\n\nThis approach however causes deadlock on trying to remove PFs with SR-IOV\nenabled because PFs disable SR-IOV during removal and this removal happens\nunder the PCI rescan/remove lock. So the original fix had to be reverted.\n\nInstead of taking the PCI rescan/remove lock in sriov_add_vfs() and\nsriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs\nhotplug higher up in the callchain by taking the lock in\nsriov_numvfs_store() before calling into the driver\u0027s sriov_configure()\ncallback."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:02:15.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3cddde484471c602bea04e6f384819d336a1ff84"
},
{
"url": "https://git.kernel.org/stable/c/d7673ac466eca37ec3e6b7cc9ccdb06de3304e9b"
},
{
"url": "https://git.kernel.org/stable/c/7c37920c96b85ef4255a7acc795e99e63dd38d59"
},
{
"url": "https://git.kernel.org/stable/c/1047ca2d816994f31e1475e63e0c0b7825599747"
},
{
"url": "https://git.kernel.org/stable/c/97c18f074ff1c12d016a0753072a3afdfa0b9611"
},
{
"url": "https://git.kernel.org/stable/c/bea1d373098b22d7142da48750ce5526096425bc"
},
{
"url": "https://git.kernel.org/stable/c/f3015627b6e9ddf85cfeaf42405b3c194dde2c36"
},
{
"url": "https://git.kernel.org/stable/c/a5338e365c4559d7b4d7356116b0eb95b12e08d5"
}
],
"title": "PCI/IOV: Fix race between SR-IOV enable/disable and hotplug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40219",
"datePublished": "2025-12-04T14:50:42.996Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2026-04-13T06:02:15.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71102 (GCVE-0-2025-71102)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scs: fix a wrong parameter in __scs_magic
__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is
given. 'task_scs(tsk)' is the starting address of the task's shadow call
stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's
shadow call stack. Here should be '__scs_magic(task_scs(tsk))'.
The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE
is enabled, the shadow call stack usage checking function
(scs_check_usage) would scan an incorrect memory range. This could lead
1. **Inaccurate stack usage reporting**: The function would calculate
wrong usage statistics for the shadow call stack, potentially showing
incorrect value in kmsg.
2. **Potential kernel crash**: If the value of __scs_magic(tsk)is
greater than that of __scs_magic(task_scs(tsk)), the for loop may
access unmapped memory, potentially causing a kernel panic. However,
this scenario is unlikely because task_struct is allocated via the slab
allocator (which typically returns lower addresses), while the shadow
call stack returned by task_scs(tsk) is allocated via vmalloc(which
typically returns higher addresses).
However, since this is purely a debugging feature
(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not
unaffected. The bug only impacts developers and testers who are actively
debugging stack usage with this configuration enabled.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 Version: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 Version: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 Version: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 Version: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 Version: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 Version: 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/scs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1727e8bd69103a68963a5613a0ddb6d8d37df5d3",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "57ba40b001be27786d0570dd292289df748b306b",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "062774439d442882b44f5eab8c256ad3423ef284",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "9ef28943471a16e4f9646bc3e8e2de148e7d8d7b",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "a19fb3611e4c06624fc0f83ef19f4fb8d57d4751",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
},
{
"lessThan": "08bd4c46d5e63b78e77f2605283874bbe868ab19",
"status": "affected",
"version": "5bbaf9d1fcb9be696ee9a61636ab6803556c70f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/scs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscs: fix a wrong parameter in __scs_magic\n\n__scs_magic() needs a \u0027void *\u0027 variable, but a \u0027struct task_struct *\u0027 is\ngiven. \u0027task_scs(tsk)\u0027 is the starting address of the task\u0027s shadow call\nstack, and \u0027__scs_magic(task_scs(tsk))\u0027 is the end address of the task\u0027s\nshadow call stack. Here should be \u0027__scs_magic(task_scs(tsk))\u0027.\n\nThe user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE\nis enabled, the shadow call stack usage checking function\n(scs_check_usage) would scan an incorrect memory range. This could lead\n\n1. **Inaccurate stack usage reporting**: The function would calculate\n wrong usage statistics for the shadow call stack, potentially showing\n incorrect value in kmsg.\n\n2. **Potential kernel crash**: If the value of __scs_magic(tsk)is\n greater than that of __scs_magic(task_scs(tsk)), the for loop may\n access unmapped memory, potentially causing a kernel panic. However,\n this scenario is unlikely because task_struct is allocated via the slab\n allocator (which typically returns lower addresses), while the shadow\n call stack returned by task_scs(tsk) is allocated via vmalloc(which\n typically returns higher addresses).\n\nHowever, since this is purely a debugging feature\n(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not\nunaffected. The bug only impacts developers and testers who are actively\ndebugging stack usage with this configuration enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:55.111Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3"
},
{
"url": "https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c"
},
{
"url": "https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b"
},
{
"url": "https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284"
},
{
"url": "https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b"
},
{
"url": "https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751"
},
{
"url": "https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19"
}
],
"title": "scs: fix a wrong parameter in __scs_magic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71102",
"datePublished": "2026-01-14T15:05:52.389Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-02-09T08:34:55.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40053 (GCVE-0-2025-40053)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dlink: handle copy_thresh allocation failure
The driver did not handle failure of `netdev_alloc_skb_ip_align()`.
If the allocation failed, dereferencing `skb->protocol` could lead to
a NULL pointer dereference.
This patch tries to allocate `skb`. If the allocation fails, it falls
back to the normal path.
Tested-on: D-Link DGE-550T Rev-A3
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/dlink/dl2k.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84fd710a704f3d53d4120e452e86cea558cf73a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5aa9b885602811a026a3f45c92ea2b4b04c54f09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d49e4b14609e1a20d931e718962c4b6b5485174",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ea87151df398d407a632c7bf63013290f01c5009",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ed5010fef0930f4322d620052edc854ef3ec41f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd7b6b2c920d7fd370a612be416a904d6e1ebe55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8169a6011c5fecc6cb1c3654c541c567d3318de8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/dlink/dl2k.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dlink: handle copy_thresh allocation failure\n\nThe driver did not handle failure of `netdev_alloc_skb_ip_align()`.\nIf the allocation failed, dereferencing `skb-\u003eprotocol` could lead to\na NULL pointer dereference.\n\nThis patch tries to allocate `skb`. If the allocation fails, it falls\nback to the normal path.\n\nTested-on: D-Link DGE-550T Rev-A3"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:00.436Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84fd710a704f3d53d4120e452e86cea558cf73a8"
},
{
"url": "https://git.kernel.org/stable/c/5aa9b885602811a026a3f45c92ea2b4b04c54f09"
},
{
"url": "https://git.kernel.org/stable/c/9d49e4b14609e1a20d931e718962c4b6b5485174"
},
{
"url": "https://git.kernel.org/stable/c/ea87151df398d407a632c7bf63013290f01c5009"
},
{
"url": "https://git.kernel.org/stable/c/7ed5010fef0930f4322d620052edc854ef3ec41f"
},
{
"url": "https://git.kernel.org/stable/c/fd7b6b2c920d7fd370a612be416a904d6e1ebe55"
},
{
"url": "https://git.kernel.org/stable/c/8169a6011c5fecc6cb1c3654c541c567d3318de8"
}
],
"title": "net: dlink: handle copy_thresh allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40053",
"datePublished": "2025-10-28T11:48:28.444Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:17:00.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40094 (GCVE-0-2025-40094)
Vulnerability from cvelistv5
Published
2025-10-30 09:48
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_acm: Refactor bind path to use __free()
After an bind/unbind cycle, the acm->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
Call trace:
usb_ep_free_request+0x2c/0xec
gs_free_req+0x30/0x44
acm_bind+0x1b8/0x1f4
usb_add_function+0xcc/0x1f0
configfs_composite_bind+0x468/0x588
gadget_bind_driver+0x104/0x270
really_probe+0x190/0x374
__driver_probe_device+0xa0/0x12c
driver_probe_device+0x3c/0x218
__device_attach_driver+0x14c/0x188
bus_for_each_drv+0x10c/0x168
__device_attach+0xfc/0x198
device_initial_probe+0x14/0x24
bus_probe_device+0x94/0x11c
device_add+0x268/0x48c
usb_add_gadget+0x198/0x28c
dwc3_gadget_init+0x700/0x858
__dwc3_set_mode+0x3cc/0x664
process_scheduled_works+0x1d8/0x488
worker_thread+0x244/0x334
kthread+0x114/0x1bc
ret_from_fork+0x10/0x20
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1f1ba11b64947051fc32aa15fcccef6463b433f7 Version: 1f1ba11b64947051fc32aa15fcccef6463b433f7 Version: 1f1ba11b64947051fc32aa15fcccef6463b433f7 Version: 1f1ba11b64947051fc32aa15fcccef6463b433f7 Version: 1f1ba11b64947051fc32aa15fcccef6463b433f7 Version: 1f1ba11b64947051fc32aa15fcccef6463b433f7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_acm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5d116862dd3ed162d079738a5ebddf9fceea850",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "e348d18fb0124b662cfefb3001733b49da428215",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "201a66d8e6630762e760e1d78f1d149da1691e7b",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "c4301e4dd6b32faccb744f1c2320e64235b68d3b",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
},
{
"lessThan": "47b2116e54b4a854600341487e8b55249e926324",
"status": "affected",
"version": "1f1ba11b64947051fc32aa15fcccef6463b433f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_acm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_acm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the acm-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nCall trace:\n usb_ep_free_request+0x2c/0xec\n gs_free_req+0x30/0x44\n acm_bind+0x1b8/0x1f4\n usb_add_function+0xcc/0x1f0\n configfs_composite_bind+0x468/0x588\n gadget_bind_driver+0x104/0x270\n really_probe+0x190/0x374\n __driver_probe_device+0xa0/0x12c\n driver_probe_device+0x3c/0x218\n __device_attach_driver+0x14c/0x188\n bus_for_each_drv+0x10c/0x168\n __device_attach+0xfc/0x198\n device_initial_probe+0x14/0x24\n bus_probe_device+0x94/0x11c\n device_add+0x268/0x48c\n usb_add_gadget+0x198/0x28c\n dwc3_gadget_init+0x700/0x858\n __dwc3_set_mode+0x3cc/0x664\n process_scheduled_works+0x1d8/0x488\n worker_thread+0x244/0x334\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:53.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5d116862dd3ed162d079738a5ebddf9fceea850"
},
{
"url": "https://git.kernel.org/stable/c/2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175"
},
{
"url": "https://git.kernel.org/stable/c/e348d18fb0124b662cfefb3001733b49da428215"
},
{
"url": "https://git.kernel.org/stable/c/201a66d8e6630762e760e1d78f1d149da1691e7b"
},
{
"url": "https://git.kernel.org/stable/c/c4301e4dd6b32faccb744f1c2320e64235b68d3b"
},
{
"url": "https://git.kernel.org/stable/c/47b2116e54b4a854600341487e8b55249e926324"
}
],
"title": "usb: gadget: f_acm: Refactor bind path to use __free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40094",
"datePublished": "2025-10-30T09:48:02.446Z",
"dateReserved": "2025-04-16T07:20:57.163Z",
"dateUpdated": "2025-12-01T06:17:53.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71124 (GCVE-0-2025-71124)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/a6xx: move preempt_prepare_postamble after error check
Move the call to preempt_prepare_postamble() after verifying that
preempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL,
dereferencing it in preempt_prepare_postamble() would lead to a crash.
This change avoids calling the preparation function when the
postamble allocation has failed, preventing potential NULL pointer
dereference and ensuring proper error handling.
Patchwork: https://patchwork.freedesktop.org/patch/687659/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/a6xx_preempt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c46497eb148ec61909f4101b8443f3c4c2daaec",
"status": "affected",
"version": "50117cad0c50410cff0d43a1141a562b1347e7c5",
"versionType": "git"
},
{
"lessThan": "ef3b04091fd8bc737dc45312375df8625b8318e2",
"status": "affected",
"version": "50117cad0c50410cff0d43a1141a562b1347e7c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/a6xx_preempt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: move preempt_prepare_postamble after error check\n\nMove the call to preempt_prepare_postamble() after verifying that\npreempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL,\ndereferencing it in preempt_prepare_postamble() would lead to a crash.\n\nThis change avoids calling the preparation function when the\npostamble allocation has failed, preventing potential NULL pointer\ndereference and ensuring proper error handling.\n\nPatchwork: https://patchwork.freedesktop.org/patch/687659/"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:19.447Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c46497eb148ec61909f4101b8443f3c4c2daaec"
},
{
"url": "https://git.kernel.org/stable/c/ef3b04091fd8bc737dc45312375df8625b8318e2"
}
],
"title": "drm/msm/a6xx: move preempt_prepare_postamble after error check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71124",
"datePublished": "2026-01-14T15:06:09.927Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:19.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23019 (GCVE-0-2026-23019)
Vulnerability from cvelistv5
Published
2026-01-31 11:39
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
devlink_alloc() may return NULL on allocation failure, but
prestera_devlink_alloc() unconditionally calls devlink_priv() on
the returned pointer.
This leads to a NULL pointer dereference if devlink allocation fails.
Add a check for a NULL devlink pointer and return NULL early to avoid
the crash.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 Version: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 Version: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 Version: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 Version: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 Version: 34dd1710f5a3c9a7dc78e1ff6de69a19d407db25 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a4333b2818f0d853b43e139936c20659366e4a0",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "325aea74be7e192b5c947c782da23b0d19a5fda2",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "94e070cd50790317fba7787ae6006934b7edcb6f",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "3950054c9512add0cc79ab7e72b6d2f9f675e25b",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "326a4b7e61d01db3507f71c8bb5e85362f607064",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
},
{
"lessThan": "a428e0da1248c353557970848994f35fd3f005e2",
"status": "affected",
"version": "34dd1710f5a3c9a7dc78e1ff6de69a19d407db25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/prestera/prestera_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix NULL dereference on devlink_alloc() failure\n\ndevlink_alloc() may return NULL on allocation failure, but\nprestera_devlink_alloc() unconditionally calls devlink_priv() on\nthe returned pointer.\n\nThis leads to a NULL pointer dereference if devlink allocation fails.\nAdd a check for a NULL devlink pointer and return NULL early to avoid\nthe crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:12.887Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a4333b2818f0d853b43e139936c20659366e4a0"
},
{
"url": "https://git.kernel.org/stable/c/325aea74be7e192b5c947c782da23b0d19a5fda2"
},
{
"url": "https://git.kernel.org/stable/c/94e070cd50790317fba7787ae6006934b7edcb6f"
},
{
"url": "https://git.kernel.org/stable/c/3950054c9512add0cc79ab7e72b6d2f9f675e25b"
},
{
"url": "https://git.kernel.org/stable/c/326a4b7e61d01db3507f71c8bb5e85362f607064"
},
{
"url": "https://git.kernel.org/stable/c/a428e0da1248c353557970848994f35fd3f005e2"
}
],
"title": "net: marvell: prestera: fix NULL dereference on devlink_alloc() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23019",
"datePublished": "2026-01-31T11:39:03.179Z",
"dateReserved": "2026-01-13T15:37:45.940Z",
"dateUpdated": "2026-02-09T08:37:12.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23037 (GCVE-0-2026-23037)
Vulnerability from cvelistv5
Published
2026-01-31 11:42
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: etas_es58x: allow partial RX URB allocation to succeed
When es58x_alloc_rx_urbs() fails to allocate the requested number of
URBs but succeeds in allocating some, it returns an error code.
This causes es58x_open() to return early, skipping the cleanup label
'free_urbs', which leads to the anchored URBs being leaked.
As pointed out by maintainer Vincent Mailhol, the driver is designed
to handle partial URB allocation gracefully. Therefore, partial
allocation should not be treated as a fatal error.
Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
allocated, restoring the intended behavior and preventing the leak
in es58x_open().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "97250eb05e4b6afe787290e8fd97d0675116c61b",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "aec888f44853584b5a7cd01249806030cf94a73d",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "611e839d2d552416b498ed5593e10670f61fcd4d",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "ba45e3d6b02c97dbb4578fbae7027fd66f3caa10",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "6c5124a60989051799037834f0a1a4b428718157",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "b1979778e98569c1e78c2c7f16bb24d76541ab00",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: allow partial RX URB allocation to succeed\n\nWhen es58x_alloc_rx_urbs() fails to allocate the requested number of\nURBs but succeeds in allocating some, it returns an error code.\nThis causes es58x_open() to return early, skipping the cleanup label\n\u0027free_urbs\u0027, which leads to the anchored URBs being leaked.\n\nAs pointed out by maintainer Vincent Mailhol, the driver is designed\nto handle partial URB allocation gracefully. Therefore, partial\nallocation should not be treated as a fatal error.\n\nModify es58x_alloc_rx_urbs() to return 0 if at least one URB has been\nallocated, restoring the intended behavior and preventing the leak\nin es58x_open()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:31.963Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/97250eb05e4b6afe787290e8fd97d0675116c61b"
},
{
"url": "https://git.kernel.org/stable/c/aec888f44853584b5a7cd01249806030cf94a73d"
},
{
"url": "https://git.kernel.org/stable/c/611e839d2d552416b498ed5593e10670f61fcd4d"
},
{
"url": "https://git.kernel.org/stable/c/ba45e3d6b02c97dbb4578fbae7027fd66f3caa10"
},
{
"url": "https://git.kernel.org/stable/c/6c5124a60989051799037834f0a1a4b428718157"
},
{
"url": "https://git.kernel.org/stable/c/b1979778e98569c1e78c2c7f16bb24d76541ab00"
}
],
"title": "can: etas_es58x: allow partial RX URB allocation to succeed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23037",
"datePublished": "2026-01-31T11:42:31.689Z",
"dateReserved": "2026-01-13T15:37:45.943Z",
"dateUpdated": "2026-02-09T08:37:31.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23103 (GCVE-0-2026-23103)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-04-03 13:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvlan: Make the addrs_lock be per port
Make the addrs_lock be per port, not per ipvlan dev.
Initial code seems to be written in the assumption,
that any address change must occur under RTNL.
But it is not so for the case of IPv6. So
1) Introduce per-port addrs_lock.
2) It was needed to fix places where it was forgotten
to take lock (ipvlan_open/ipvlan_close)
This appears to be a very minor problem though.
Since it's highly unlikely that ipvlan_add_addr() will
be called on 2 CPU simultaneously. But nevertheless,
this could cause:
1) False-negative of ipvlan_addr_busy(): one interface
iterated through all port->ipvlans + ipvlan->addrs
under some ipvlan spinlock, and another added IP
under its own lock. Though this is only possible
for IPv6, since looks like only ipvlan_addr6_event() can be
called without rtnl_lock.
2) Race since ipvlan_ht_addr_add(port) is called under
different ipvlan->addrs_lock locks
This should not affect performance, since add/remove IP
is a rare situation and spinlock is not taken on fast
paths.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8230819494b3bf284ca7262ac5f877333147b937 Version: 8230819494b3bf284ca7262ac5f877333147b937 Version: 8230819494b3bf284ca7262ac5f877333147b937 Version: 8230819494b3bf284ca7262ac5f877333147b937 Version: 8230819494b3bf284ca7262ac5f877333147b937 Version: 8230819494b3bf284ca7262ac5f877333147b937 Version: 8230819494b3bf284ca7262ac5f877333147b937 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan.h",
"drivers/net/ipvlan/ipvlan_core.c",
"drivers/net/ipvlan/ipvlan_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c149b662cbb202a450e81f938e702ba333864ad",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "70feb16e3fbfb10b15de1396557c38e99f1ab8df",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "88f83e6c9cdb46b8c8ddd0ba01393362963cf589",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "04ba6de6eff61238e5397c14ac26a6578c7735a5",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "1f300c10d92c547c3a7d978e1212ff52f18256ed",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "6a81e2db096913d7e43aada1c350c1282e76db39",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "d3ba32162488283c0a4c5bedd8817aec91748802",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan.h",
"drivers/net/ipvlan/ipvlan_core.c",
"drivers/net/ipvlan/ipvlan_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Make the addrs_lock be per port\n\nMake the addrs_lock be per port, not per ipvlan dev.\n\nInitial code seems to be written in the assumption,\nthat any address change must occur under RTNL.\nBut it is not so for the case of IPv6. So\n\n1) Introduce per-port addrs_lock.\n\n2) It was needed to fix places where it was forgotten\nto take lock (ipvlan_open/ipvlan_close)\n\nThis appears to be a very minor problem though.\nSince it\u0027s highly unlikely that ipvlan_add_addr() will\nbe called on 2 CPU simultaneously. But nevertheless,\nthis could cause:\n\n1) False-negative of ipvlan_addr_busy(): one interface\niterated through all port-\u003eipvlans + ipvlan-\u003eaddrs\nunder some ipvlan spinlock, and another added IP\nunder its own lock. Though this is only possible\nfor IPv6, since looks like only ipvlan_addr6_event() can be\ncalled without rtnl_lock.\n\n2) Race since ipvlan_ht_addr_add(port) is called under\ndifferent ipvlan-\u003eaddrs_lock locks\n\nThis should not affect performance, since add/remove IP\nis a rare situation and spinlock is not taken on fast\npaths."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:31:56.806Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad"
},
{
"url": "https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df"
},
{
"url": "https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589"
},
{
"url": "https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5"
},
{
"url": "https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed"
},
{
"url": "https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39"
},
{
"url": "https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802"
}
],
"title": "ipvlan: Make the addrs_lock be per port",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23103",
"datePublished": "2026-02-04T16:08:24.771Z",
"dateReserved": "2026-01-13T15:37:45.966Z",
"dateUpdated": "2026-04-03T13:31:56.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68238 (GCVE-0-2025-68238)
Vulnerability from cvelistv5
Published
2025-12-16 14:08
Modified
2025-12-16 14:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: cadence: fix DMA device NULL pointer dereference
The DMA device pointer `dma_dev` was being dereferenced before ensuring
that `cdns_ctrl->dmac` is properly initialized.
Move the assignment of `dma_dev` after successfully acquiring the DMA
channel to ensure the pointer is valid before use.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0cae7c285f4771a9927ef592899234d307aea5d4 Version: 099a316518508be7c57de4134ef919b2dea948ce Version: e630d32162a8aab92d4aaebae0a8d93039257593 Version: ad9393467fbd788ac2b8a01e492e45ab1b68a1b1 Version: 0ce5416863965ddd86e066484a306867cf1e01a8 Version: d76d22b5096c5b05208fd982b153b3f182350b19 Version: d76d22b5096c5b05208fd982b153b3f182350b19 Version: a33c7492dcdf804b705b6c21018a481414d48038 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2178b0255eae108bb10e5e99658b28641bc06f43",
"status": "affected",
"version": "0cae7c285f4771a9927ef592899234d307aea5d4",
"versionType": "git"
},
{
"lessThan": "9c58c64ec41290c12490ca7e1df45013fbbb41fd",
"status": "affected",
"version": "099a316518508be7c57de4134ef919b2dea948ce",
"versionType": "git"
},
{
"lessThan": "e282a4fdf3c6ee842a720010a8b5f7d77bedd126",
"status": "affected",
"version": "e630d32162a8aab92d4aaebae0a8d93039257593",
"versionType": "git"
},
{
"lessThan": "b146e0b085d9d6bfe838e0a15481cba7d093c67f",
"status": "affected",
"version": "ad9393467fbd788ac2b8a01e492e45ab1b68a1b1",
"versionType": "git"
},
{
"lessThan": "0c635241a62f2f5da1b48bfffae226d1f86a76ef",
"status": "affected",
"version": "0ce5416863965ddd86e066484a306867cf1e01a8",
"versionType": "git"
},
{
"lessThan": "0c2a43cb43786011b48eeab6093db14888258c6b",
"status": "affected",
"version": "d76d22b5096c5b05208fd982b153b3f182350b19",
"versionType": "git"
},
{
"lessThan": "5c56bf214af85ca042bf97f8584aab2151035840",
"status": "affected",
"version": "d76d22b5096c5b05208fd982b153b3f182350b19",
"versionType": "git"
},
{
"status": "affected",
"version": "a33c7492dcdf804b705b6c21018a481414d48038",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.6.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: cadence: fix DMA device NULL pointer dereference\n\nThe DMA device pointer `dma_dev` was being dereferenced before ensuring\nthat `cdns_ctrl-\u003edmac` is properly initialized.\n\nMove the assignment of `dma_dev` after successfully acquiring the DMA\nchannel to ensure the pointer is valid before use."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:08:31.672Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2178b0255eae108bb10e5e99658b28641bc06f43"
},
{
"url": "https://git.kernel.org/stable/c/9c58c64ec41290c12490ca7e1df45013fbbb41fd"
},
{
"url": "https://git.kernel.org/stable/c/e282a4fdf3c6ee842a720010a8b5f7d77bedd126"
},
{
"url": "https://git.kernel.org/stable/c/b146e0b085d9d6bfe838e0a15481cba7d093c67f"
},
{
"url": "https://git.kernel.org/stable/c/0c635241a62f2f5da1b48bfffae226d1f86a76ef"
},
{
"url": "https://git.kernel.org/stable/c/0c2a43cb43786011b48eeab6093db14888258c6b"
},
{
"url": "https://git.kernel.org/stable/c/5c56bf214af85ca042bf97f8584aab2151035840"
}
],
"title": "mtd: rawnand: cadence: fix DMA device NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68238",
"datePublished": "2025-12-16T14:08:31.672Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:08:31.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68378 (GCVE-0-2025-68378)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()
when copying stack trace data. The issue occurs when the perf trace
contains more stack entries than the stack map bucket can hold,
leading to an out-of-bounds write in the bucket's data array.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ee2a098851bfbe8bcdd964c0121f4246f00ff41e Version: ee2a098851bfbe8bcdd964c0121f4246f00ff41e Version: ee2a098851bfbe8bcdd964c0121f4246f00ff41e Version: ee2a098851bfbe8bcdd964c0121f4246f00ff41e Version: 90805175a206f784b6a77f16f07b07f6803e286b Version: 398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e Version: e750f78c4ed7cefbcefb9769b3b9e08033db39da Version: 6c4f243b58f5362e983386488b2d563764c567af |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1f424a77b6bd27b361737ed73df49a0158f1590",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "2a008f6de163279deffd488c1deab081bce5667c",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "4669a8db976c8cbd5427fe9945f12c5fa5168ff3",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "23f852daa4bab4d579110e034e4d513f7d490846",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"status": "affected",
"version": "90805175a206f784b6a77f16f07b07f6803e286b",
"versionType": "git"
},
{
"status": "affected",
"version": "398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e",
"versionType": "git"
},
{
"status": "affected",
"version": "e750f78c4ed7cefbcefb9769b3b9e08033db39da",
"versionType": "git"
},
{
"status": "affected",
"version": "6c4f243b58f5362e983386488b2d563764c567af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check in __bpf_get_stackid()\n\nSyzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()\nwhen copying stack trace data. The issue occurs when the perf trace\n contains more stack entries than the stack map bucket can hold,\n leading to an out-of-bounds write in the bucket\u0027s data array."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:16.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590"
},
{
"url": "https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c"
},
{
"url": "https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3"
},
{
"url": "https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846"
}
],
"title": "bpf: Fix stackmap overflow check in __bpf_get_stackid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68378",
"datePublished": "2025-12-24T10:33:06.859Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-02-09T08:32:16.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71138 (GCVE-0-2025-71138)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Add missing NULL pointer check for pingpong interface
It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a
single place the check is missing.
Also use convenient locals instead of phys_enc->* where available.
Patchwork: https://patchwork.freedesktop.org/patch/693860/
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "678d1c86566dfbb247ba25482d37fddde6140cc9",
"status": "affected",
"version": "d7d0e73f7de33a2b9998b607707a3e944ef3b86d",
"versionType": "git"
},
{
"lessThan": "471baae774a30a04cf066907b60eaf3732928cb7",
"status": "affected",
"version": "d7d0e73f7de33a2b9998b607707a3e944ef3b86d",
"versionType": "git"
},
{
"lessThan": "35ea3282136a630a3fd92b76f5a3a02651145ef1",
"status": "affected",
"version": "d7d0e73f7de33a2b9998b607707a3e944ef3b86d",
"versionType": "git"
},
{
"lessThan": "88733a0b64872357e5ecd82b7488121503cb9cc6",
"status": "affected",
"version": "d7d0e73f7de33a2b9998b607707a3e944ef3b86d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add missing NULL pointer check for pingpong interface\n\nIt is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a\nsingle place the check is missing.\nAlso use convenient locals instead of phys_enc-\u003e* where available.\n\nPatchwork: https://patchwork.freedesktop.org/patch/693860/"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:35.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/678d1c86566dfbb247ba25482d37fddde6140cc9"
},
{
"url": "https://git.kernel.org/stable/c/471baae774a30a04cf066907b60eaf3732928cb7"
},
{
"url": "https://git.kernel.org/stable/c/35ea3282136a630a3fd92b76f5a3a02651145ef1"
},
{
"url": "https://git.kernel.org/stable/c/88733a0b64872357e5ecd82b7488121503cb9cc6"
}
],
"title": "drm/msm/dpu: Add missing NULL pointer check for pingpong interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71138",
"datePublished": "2026-01-14T15:07:51.943Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-02-09T08:35:35.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40331 (GCVE-0-2025-40331)
Vulnerability from cvelistv5
Published
2025-12-09 04:09
Modified
2025-12-09 04:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Prevent TOCTOU out-of-bounds write
For the following path not holding the sock lock,
sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()
make sure not to exceed bounds in case the address list has grown
between buffer allocation (time-of-check) and write (time-of-use).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8f840e47f190cbe61a96945c13e9551048d42cef Version: 8f840e47f190cbe61a96945c13e9551048d42cef Version: 8f840e47f190cbe61a96945c13e9551048d42cef Version: 8f840e47f190cbe61a96945c13e9551048d42cef Version: 8f840e47f190cbe61a96945c13e9551048d42cef Version: 8f840e47f190cbe61a96945c13e9551048d42cef Version: 8f840e47f190cbe61a96945c13e9551048d42cef Version: 8f840e47f190cbe61a96945c13e9551048d42cef |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b106a68df0650b694b254427cd9250c04500edd3",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "3006959371007fc2eae4a078f823c680fa52de1a",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "72e3fea68eac8d088e44c3dd954e843478e9240e",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "584307275b2048991b2e8984962189b6cc0a9b85",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "c9119f243d9c0da3c3b5f577a328de3e7ffd1b42",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "2fe08fcaacb7eb019fa9c81db39b2214de216677",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "89eac1e150dbd42963e13d23828cb8c4e0763196",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "95aef86ab231f047bb8085c70666059b58f53c09",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Prevent TOCTOU out-of-bounds write\n\nFor the following path not holding the sock lock,\n\n sctp_diag_dump() -\u003e sctp_for_each_endpoint() -\u003e sctp_ep_dump()\n\nmake sure not to exceed bounds in case the address list has grown\nbetween buffer allocation (time-of-check) and write (time-of-use)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:48.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b106a68df0650b694b254427cd9250c04500edd3"
},
{
"url": "https://git.kernel.org/stable/c/3006959371007fc2eae4a078f823c680fa52de1a"
},
{
"url": "https://git.kernel.org/stable/c/72e3fea68eac8d088e44c3dd954e843478e9240e"
},
{
"url": "https://git.kernel.org/stable/c/584307275b2048991b2e8984962189b6cc0a9b85"
},
{
"url": "https://git.kernel.org/stable/c/c9119f243d9c0da3c3b5f577a328de3e7ffd1b42"
},
{
"url": "https://git.kernel.org/stable/c/2fe08fcaacb7eb019fa9c81db39b2214de216677"
},
{
"url": "https://git.kernel.org/stable/c/89eac1e150dbd42963e13d23828cb8c4e0763196"
},
{
"url": "https://git.kernel.org/stable/c/95aef86ab231f047bb8085c70666059b58f53c09"
}
],
"title": "sctp: Prevent TOCTOU out-of-bounds write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40331",
"datePublished": "2025-12-09T04:09:48.196Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:48.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39880 (GCVE-0-2025-39880)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix invalid accesses to ceph_connection_v1_info
There is a place where generic code in messenger.c is reading and
another place where it is writing to con->v1 union member without
checking that the union member is active (i.e. msgr1 is in use).
On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,
so such a read is almost guaranteed to return a bogus value instead of
0 when msgr2 is in use. This ends up being fairly benign because the
side effect is just the invalidation of the authorizer and successive
fetching of new tickets.
con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that
it's being written to can cause more serious consequences, but luckily
it's not something that happens often.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:22.996Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea12ab684f8ae8a6da11a22c78d94a79e2163096",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "591ea9c30737663a471b2bb07b27ddde86b020d5",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "23538cfbeed87159a5ac6c61e7a6de3d8d4486a8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "6bd8b56899be0b514945f639a89ccafb8f8dfaef",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "cdbc9836c7afadad68f374791738f118263c5371",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix invalid accesses to ceph_connection_v1_info\n\nThere is a place where generic code in messenger.c is reading and\nanother place where it is writing to con-\u003ev1 union member without\nchecking that the union member is active (i.e. msgr1 is in use).\n\nOn 64-bit systems, con-\u003ev1.auth_retry overlaps with con-\u003ev2.out_iter,\nso such a read is almost guaranteed to return a bogus value instead of\n0 when msgr2 is in use. This ends up being fairly benign because the\nside effect is just the invalidation of the authorizer and successive\nfetching of new tickets.\n\ncon-\u003ev1.connect_seq overlaps with con-\u003ev2.conn_bufs and the fact that\nit\u0027s being written to can cause more serious consequences, but luckily\nit\u0027s not something that happens often."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:21.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea12ab684f8ae8a6da11a22c78d94a79e2163096"
},
{
"url": "https://git.kernel.org/stable/c/591ea9c30737663a471b2bb07b27ddde86b020d5"
},
{
"url": "https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8"
},
{
"url": "https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983"
},
{
"url": "https://git.kernel.org/stable/c/6bd8b56899be0b514945f639a89ccafb8f8dfaef"
},
{
"url": "https://git.kernel.org/stable/c/cdbc9836c7afadad68f374791738f118263c5371"
}
],
"title": "libceph: fix invalid accesses to ceph_connection_v1_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39880",
"datePublished": "2025-09-23T06:00:49.897Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:22.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39923 (GCVE-0-2025-39923)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
When we don't have a clock specified in the device tree, we have no way to
ensure the BAM is on. This is often the case for remotely-controlled or
remotely-powered BAM instances. In this case, we need to read num-channels
from the DT to have all the necessary information to complete probing.
However, at the moment invalid device trees without clock and without
num-channels still continue probing, because the error handling is missing
return statements. The driver will then later try to read the number of
channels from the registers. This is unsafe, because it relies on boot
firmware and lucky timing to succeed. Unfortunately, the lack of proper
error handling here has been abused for several Qualcomm SoCs upstream,
causing early boot crashes in several situations [1, 2].
Avoid these early crashes by erroring out when any of the required DT
properties are missing. Note that this will break some of the existing DTs
upstream (mainly BAM instances related to the crypto engine). However,
clearly these DTs have never been tested properly, since the error in the
kernel log was just ignored. It's safer to disable the crypto engine for
these broken DTBs.
[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/
[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: cecf8a69042b3a54cb843223756c10ee8a8665e3 Version: 909474cd384cb206f33461fbd18089cf170533f8 Version: 5e0986f7caf17d7b1acd2092975360bf8e88a57d |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:41.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e257a6125c63350f00dc42b9674f20fd3cf4a9f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "555bd16351a35c79efb029a196975a5a27f7fbc4",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "ebf6c7c908e5999531c3517289598f187776124f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1fc14731f0be4885e60702b9596d14d9a79cf053",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "0ff9df758af7022d749718fb6b8385cc5693acf3",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "5068b5254812433e841a40886e695633148d362d",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"status": "affected",
"version": "cecf8a69042b3a54cb843223756c10ee8a8665e3",
"versionType": "git"
},
{
"status": "affected",
"version": "909474cd384cb206f33461fbd18089cf170533f8",
"versionType": "git"
},
{
"status": "affected",
"version": "5e0986f7caf17d7b1acd2092975360bf8e88a57d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees\n\nWhen we don\u0027t have a clock specified in the device tree, we have no way to\nensure the BAM is on. This is often the case for remotely-controlled or\nremotely-powered BAM instances. In this case, we need to read num-channels\nfrom the DT to have all the necessary information to complete probing.\n\nHowever, at the moment invalid device trees without clock and without\nnum-channels still continue probing, because the error handling is missing\nreturn statements. The driver will then later try to read the number of\nchannels from the registers. This is unsafe, because it relies on boot\nfirmware and lucky timing to succeed. Unfortunately, the lack of proper\nerror handling here has been abused for several Qualcomm SoCs upstream,\ncausing early boot crashes in several situations [1, 2].\n\nAvoid these early crashes by erroring out when any of the required DT\nproperties are missing. Note that this will break some of the existing DTs\nupstream (mainly BAM instances related to the crypto engine). However,\nclearly these DTs have never been tested properly, since the error in the\nkernel log was just ignored. It\u0027s safer to disable the crypto engine for\nthese broken DTBs.\n\n[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/\n[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:52.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e257a6125c63350f00dc42b9674f20fd3cf4a9f"
},
{
"url": "https://git.kernel.org/stable/c/1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2"
},
{
"url": "https://git.kernel.org/stable/c/6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c"
},
{
"url": "https://git.kernel.org/stable/c/555bd16351a35c79efb029a196975a5a27f7fbc4"
},
{
"url": "https://git.kernel.org/stable/c/ebf6c7c908e5999531c3517289598f187776124f"
},
{
"url": "https://git.kernel.org/stable/c/1fc14731f0be4885e60702b9596d14d9a79cf053"
},
{
"url": "https://git.kernel.org/stable/c/0ff9df758af7022d749718fb6b8385cc5693acf3"
},
{
"url": "https://git.kernel.org/stable/c/5068b5254812433e841a40886e695633148d362d"
}
],
"title": "dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39923",
"datePublished": "2025-10-01T08:07:11.469Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:41.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40105 (GCVE-0-2025-40105)
Vulnerability from cvelistv5
Published
2025-10-30 09:48
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfs: Don't leak disconnected dentries on umount
When user calls open_by_handle_at() on some inode that is not cached, we
will create disconnected dentry for it. If such dentry is a directory,
exportfs_decode_fh_raw() will then try to connect this dentry to the
dentry tree through reconnect_path(). It may happen for various reasons
(such as corrupted fs or race with rename) that the call to
lookup_one_unlocked() in reconnect_one() will fail to find the dentry we
are trying to reconnect and instead create a new dentry under the
parent. Now this dentry will not be marked as disconnected although the
parent still may well be disconnected (at least in case this
inconsistency happened because the fs is corrupted and .. doesn't point
to the real parent directory). This creates inconsistency in
disconnected flags but AFAICS it was mostly harmless. At least until
commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
which removed adding of most disconnected dentries to sb->s_anon list.
Thus after this commit cleanup of disconnected dentries implicitely
relies on the fact that dput() will immediately reclaim such dentries.
However when some leaf dentry isn't marked as disconnected, as in the
scenario described above, the reclaim doesn't happen and the dentries
are "leaked". Memory reclaim can eventually reclaim them but otherwise
they stay in memory and if umount comes first, we hit infamous "Busy
inodes after unmount" bug. Make sure all dentries created under a
disconnected parent are marked as disconnected as well.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f1ee616214cb22410e939d963bbb2349c2570f02 Version: f1ee616214cb22410e939d963bbb2349c2570f02 Version: f1ee616214cb22410e939d963bbb2349c2570f02 Version: f1ee616214cb22410e939d963bbb2349c2570f02 Version: f1ee616214cb22410e939d963bbb2349c2570f02 Version: f1ee616214cb22410e939d963bbb2349c2570f02 Version: f1ee616214cb22410e939d963bbb2349c2570f02 Version: f1ee616214cb22410e939d963bbb2349c2570f02 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dcache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5abafd0aa8d7bcb935c8f91e4cfc2f2820759e4",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "20863bb7fbb016379f8227122edfabc5c799bc79",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "8004d4b8cbf1bd68a23c160d57287e177c82cc69",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "7e0c8aaf4e28918abded547a5147c7d52c4af7d2",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "cebfbf40056a4d858b2a3ca59a69936d599bd209",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "620f3b0ede9c5cb4976cd0457d0b04ad551e5d6b",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "eadc49999fa994d6fbd70c332bd5d5051cc42261",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
},
{
"lessThan": "56094ad3eaa21e6621396cc33811d8f72847a834",
"status": "affected",
"version": "f1ee616214cb22410e939d963bbb2349c2570f02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dcache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: Don\u0027t leak disconnected dentries on umount\n\nWhen user calls open_by_handle_at() on some inode that is not cached, we\nwill create disconnected dentry for it. If such dentry is a directory,\nexportfs_decode_fh_raw() will then try to connect this dentry to the\ndentry tree through reconnect_path(). It may happen for various reasons\n(such as corrupted fs or race with rename) that the call to\nlookup_one_unlocked() in reconnect_one() will fail to find the dentry we\nare trying to reconnect and instead create a new dentry under the\nparent. Now this dentry will not be marked as disconnected although the\nparent still may well be disconnected (at least in case this\ninconsistency happened because the fs is corrupted and .. doesn\u0027t point\nto the real parent directory). This creates inconsistency in\ndisconnected flags but AFAICS it was mostly harmless. At least until\ncommit f1ee616214cb (\"VFS: don\u0027t keep disconnected dentries on d_anon\")\nwhich removed adding of most disconnected dentries to sb-\u003es_anon list.\nThus after this commit cleanup of disconnected dentries implicitely\nrelies on the fact that dput() will immediately reclaim such dentries.\nHowever when some leaf dentry isn\u0027t marked as disconnected, as in the\nscenario described above, the reclaim doesn\u0027t happen and the dentries\nare \"leaked\". Memory reclaim can eventually reclaim them but otherwise\nthey stay in memory and if umount comes first, we hit infamous \"Busy\ninodes after unmount\" bug. Make sure all dentries created under a\ndisconnected parent are marked as disconnected as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:08.529Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5abafd0aa8d7bcb935c8f91e4cfc2f2820759e4"
},
{
"url": "https://git.kernel.org/stable/c/20863bb7fbb016379f8227122edfabc5c799bc79"
},
{
"url": "https://git.kernel.org/stable/c/8004d4b8cbf1bd68a23c160d57287e177c82cc69"
},
{
"url": "https://git.kernel.org/stable/c/7e0c8aaf4e28918abded547a5147c7d52c4af7d2"
},
{
"url": "https://git.kernel.org/stable/c/cebfbf40056a4d858b2a3ca59a69936d599bd209"
},
{
"url": "https://git.kernel.org/stable/c/620f3b0ede9c5cb4976cd0457d0b04ad551e5d6b"
},
{
"url": "https://git.kernel.org/stable/c/eadc49999fa994d6fbd70c332bd5d5051cc42261"
},
{
"url": "https://git.kernel.org/stable/c/56094ad3eaa21e6621396cc33811d8f72847a834"
}
],
"title": "vfs: Don\u0027t leak disconnected dentries on umount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40105",
"datePublished": "2025-10-30T09:48:09.674Z",
"dateReserved": "2025-04-16T07:20:57.165Z",
"dateUpdated": "2025-12-01T06:18:08.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68757 (GCVE-0-2025-68757)
Vulnerability from cvelistv5
Published
2026-01-05 09:32
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vgem-fence: Fix potential deadlock on release
A timer that expires a vgem fence automatically in 10 seconds is now
released with timer_delete_sync() from fence->ops.release() called on last
dma_fence_put(). In some scenarios, it can run in IRQ context, which is
not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was
demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while
working on new IGT subtests syncobj_timeline@stress-* as user space
replacements of some problematic test cases of a dma-fence-chain selftest
[1].
[117.004338] ================================
[117.004340] WARNING: inconsistent lock state
[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U
[117.004346] --------------------------------
[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:
[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190
[117.004361] {HARDIRQ-ON-W} state was registered at:
[117.004363] lock_acquire+0xc4/0x2e0
[117.004366] call_timer_fn+0x80/0x2a0
[117.004368] __run_timers+0x231/0x310
[117.004370] run_timer_softirq+0x76/0xe0
[117.004372] handle_softirqs+0xd4/0x4d0
[117.004375] __irq_exit_rcu+0x13f/0x160
[117.004377] irq_exit_rcu+0xe/0x20
[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004385] cpuidle_enter_state+0x12b/0x8a0
[117.004388] cpuidle_enter+0x2e/0x50
[117.004393] call_cpuidle+0x22/0x60
[117.004395] do_idle+0x1fd/0x260
[117.004398] cpu_startup_entry+0x29/0x30
[117.004401] start_secondary+0x12d/0x160
[117.004404] common_startup_64+0x13e/0x141
[117.004407] irq event stamp: 2282669
[117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.004426]
other info that might help us debug this:
[117.004429] Possible unsafe locking scenario:
[117.004432] CPU0
[117.004433] ----
[117.004434] lock((&fence->timer));
[117.004436] <Interrupt>
[117.004438] lock((&fence->timer));
[117.004440]
*** DEADLOCK ***
[117.004443] 1 lock held by swapper/0/0:
[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0
[117.004450]
stack backtrace:
[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004456] Call Trace:
[117.004456] <IRQ>
[117.004457] dump_stack_lvl+0x91/0xf0
[117.004460] dump_stack+0x10/0x20
[117.004461] print_usage_bug.part.0+0x260/0x360
[117.004463] mark_lock+0x76e/0x9c0
[117.004465] ? register_lock_class+0x48/0x4a0
[117.004467] __lock_acquire+0xbc3/0x2860
[117.004469] lock_acquire+0xc4/0x2e0
[117.004470] ? __timer_delete_sync+0x4b/0x190
[117.004472] ? __timer_delete_sync+0x4b/0x190
[117.004473] __timer_delete_sync+0x68/0x190
[117.004474] ? __timer_delete_sync+0x4b/0x190
[117.004475] timer_delete_sync+0x10/0x20
[117.004476] vgem_fence_release+0x19/0x30 [vgem]
[117.004478] dma_fence_release+0xc1/0x3b0
[117.004480] ? dma_fence_release+0xa1/0x3b0
[117.004481] dma_fence_chain_release+0xe7/0x130
[117.004483] dma_fence_release+0xc1/0x3b0
[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004485] dma_fence_chain_irq_work+0x59/0x80
[117.004487] irq_work_single+0x75/0xa0
[117.004490] irq_work_r
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4077798484459a2eced2050045099a466ecb618a Version: 4077798484459a2eced2050045099a466ecb618a Version: 4077798484459a2eced2050045099a466ecb618a Version: 4077798484459a2eced2050045099a466ecb618a Version: 4077798484459a2eced2050045099a466ecb618a Version: 4077798484459a2eced2050045099a466ecb618a Version: 4077798484459a2eced2050045099a466ecb618a Version: 4077798484459a2eced2050045099a466ecb618a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "37289a18099fc7ce916933bd542926a7334791a3",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "489b2158aec92a3fc256d70992416869f86e16e0",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "338e388c0d80ffc04963b6b0ec702ffdfd2c4eba",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "4f335cb8fad69b2be5accf0ebac3a8b345915f4e",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1f0ca9d3e7c38a39f1f12377c24decf0bba46e54",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "78b4d6463e9e69e5103f98b367f8984ad12cdc6f",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence-\u003eops.release() called on last\ndma_fence_put(). In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used. One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -\u003e {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363] lock_acquire+0xc4/0x2e0\n[117.004366] call_timer_fn+0x80/0x2a0\n[117.004368] __run_timers+0x231/0x310\n[117.004370] run_timer_softirq+0x76/0xe0\n[117.004372] handle_softirqs+0xd4/0x4d0\n[117.004375] __irq_exit_rcu+0x13f/0x160\n[117.004377] irq_exit_rcu+0xe/0x20\n[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385] cpuidle_enter_state+0x12b/0x8a0\n[117.004388] cpuidle_enter+0x2e/0x50\n[117.004393] call_cpuidle+0x22/0x60\n[117.004395] do_idle+0x1fd/0x260\n[117.004398] cpu_startup_entry+0x29/0x30\n[117.004401] start_secondary+0x12d/0x160\n[117.004404] common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last enabled at (2282668): [\u003cffffffff8289db71\u003e] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [\u003cffffffff82882021\u003e] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last enabled at (2254702): [\u003cffffffff8289fd00\u003e] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [\u003cffffffff813d4ddf\u003e] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429] Possible unsafe locking scenario:\n[117.004432] CPU0\n[117.004433] ----\n[117.004434] lock((\u0026fence-\u003etimer));\n[117.004436] \u003cInterrupt\u003e\n[117.004438] lock((\u0026fence-\u003etimer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445] #0: ffffc90000003d50 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456] \u003cIRQ\u003e\n[117.004457] dump_stack_lvl+0x91/0xf0\n[117.004460] dump_stack+0x10/0x20\n[117.004461] print_usage_bug.part.0+0x260/0x360\n[117.004463] mark_lock+0x76e/0x9c0\n[117.004465] ? register_lock_class+0x48/0x4a0\n[117.004467] __lock_acquire+0xbc3/0x2860\n[117.004469] lock_acquire+0xc4/0x2e0\n[117.004470] ? __timer_delete_sync+0x4b/0x190\n[117.004472] ? __timer_delete_sync+0x4b/0x190\n[117.004473] __timer_delete_sync+0x68/0x190\n[117.004474] ? __timer_delete_sync+0x4b/0x190\n[117.004475] timer_delete_sync+0x10/0x20\n[117.004476] vgem_fence_release+0x19/0x30 [vgem]\n[117.004478] dma_fence_release+0xc1/0x3b0\n[117.004480] ? dma_fence_release+0xa1/0x3b0\n[117.004481] dma_fence_chain_release+0xe7/0x130\n[117.004483] dma_fence_release+0xc1/0x3b0\n[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485] dma_fence_chain_irq_work+0x59/0x80\n[117.004487] irq_work_single+0x75/0xa0\n[117.004490] irq_work_r\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:01.777Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3"
},
{
"url": "https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0"
},
{
"url": "https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a"
},
{
"url": "https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0"
},
{
"url": "https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"
},
{
"url": "https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e"
},
{
"url": "https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"
},
{
"url": "https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f"
}
],
"title": "drm/vgem-fence: Fix potential deadlock on release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68757",
"datePublished": "2026-01-05T09:32:30.496Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:01.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68340 (GCVE-0-2025-68340)
Vulnerability from cvelistv5
Published
2025-12-23 13:58
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: Move team device type change at the end of team_port_add
Attempting to add a port device that is already up will expectedly fail,
but not before modifying the team device header_ops.
In the case of the syzbot reproducer the gre0 device is
already in state UP when it attempts to add it as a
port device of team0, this fails but before that
header_ops->create of team0 is changed from eth_header to ipgre_header
in the call to team_dev_type_check_change.
Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense
as the private data of the device still holds a struct team.
Example sequence of iproute2 commands to reproduce the hang/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1
Move team_dev_type_check_change down where all other checks have passed
as it changes the dev type with no way to restore it in case
one of the checks that follow it fail.
Also make sure to preserve the origial mtu assignment:
- If port_dev is not the same type as dev, dev takes mtu from port_dev
- If port_dev is the same type as dev, port_dev takes mtu from dev
This is done by adding a conditional before the call to dev_set_mtu
to prevent it from assigning port_dev->mtu = dev->mtu and instead
letting team_dev_type_check_change assign dev->mtu = port_dev->mtu.
The conditional is needed because the patch moves the call to
team_dev_type_check_change past dev_set_mtu.
Testing:
- team device driver in-tree selftests
- Add/remove various devices as slaves of team device
- syzbot
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a Version: 1d76efe1577b4323609b1bcbfafa8b731eda071a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "a74ab1b532ecc5f9106621a8f75b4c3d04466b35",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "e26235840fd961e4ebe5568f11a2a078cf726663",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "4040b5e8963982a00aa821300cb746efc9f2947e",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "e3eed4f038214494af62c7d2d64749e5108ce6ca",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: Move team device type change at the end of team_port_add\n\nAttempting to add a port device that is already up will expectedly fail,\nbut not before modifying the team device header_ops.\n\nIn the case of the syzbot reproducer the gre0 device is\nalready in state UP when it attempts to add it as a\nport device of team0, this fails but before that\nheader_ops-\u003ecreate of team0 is changed from eth_header to ipgre_header\nin the call to team_dev_type_check_change.\n\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\nas the private data of the device still holds a struct team.\n\nExample sequence of iproute2 commands to reproduce the hang/BUG():\nip link add dev team0 type team\nip link add dev gre0 type gre\nip link set dev gre0 up\nip link set dev gre0 master team0\nip link set dev team0 up\nping -I team0 1.1.1.1\n\nMove team_dev_type_check_change down where all other checks have passed\nas it changes the dev type with no way to restore it in case\none of the checks that follow it fail.\n\nAlso make sure to preserve the origial mtu assignment:\n - If port_dev is not the same type as dev, dev takes mtu from port_dev\n - If port_dev is the same type as dev, port_dev takes mtu from dev\n\nThis is done by adding a conditional before the call to dev_set_mtu\nto prevent it from assigning port_dev-\u003emtu = dev-\u003emtu and instead\nletting team_dev_type_check_change assign dev-\u003emtu = port_dev-\u003emtu.\nThe conditional is needed because the patch moves the call to\nteam_dev_type_check_change past dev_set_mtu.\n\nTesting:\n - team device driver in-tree selftests\n - Add/remove various devices as slaves of team device\n - syzbot"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:33.541Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283"
},
{
"url": "https://git.kernel.org/stable/c/a74ab1b532ecc5f9106621a8f75b4c3d04466b35"
},
{
"url": "https://git.kernel.org/stable/c/e26235840fd961e4ebe5568f11a2a078cf726663"
},
{
"url": "https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e"
},
{
"url": "https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca"
},
{
"url": "https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef"
}
],
"title": "team: Move team device type change at the end of team_port_add",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68340",
"datePublished": "2025-12-23T13:58:25.841Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-06T16:31:33.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68211 (GCVE-0-2025-68211)
Vulnerability from cvelistv5
Published
2025-12-16 13:48
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksm: use range-walk function to jump over holes in scan_get_next_rmap_item
Currently, scan_get_next_rmap_item() walks every page address in a VMA to
locate mergeable pages. This becomes highly inefficient when scanning
large virtual memory areas that contain mostly unmapped regions, causing
ksmd to use large amount of cpu without deduplicating much pages.
This patch replaces the per-address lookup with a range walk using
walk_page_range(). The range walker allows KSM to skip over entire
unmapped holes in a VMA, avoiding unnecessary lookups. This problem was
previously discussed in [1].
Consider the following test program which creates a 32 TiB mapping in the
virtual address space but only populates a single page:
#include <unistd.h>
#include <stdio.h>
#include <sys/mman.h>
/* 32 TiB */
const size_t size = 32ul * 1024 * 1024 * 1024 * 1024;
int main() {
char *area = mmap(NULL, size, PROT_READ | PROT_WRITE,
MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0);
if (area == MAP_FAILED) {
perror("mmap() failed\n");
return -1;
}
/* Populate a single page such that we get an anon_vma. */
*area = 0;
/* Enable KSM. */
madvise(area, size, MADV_MERGEABLE);
pause();
return 0;
}
$ ./ksm-sparse &
$ echo 1 > /sys/kernel/mm/ksm/run
Without this patch ksmd uses 100% of the cpu for a long time (more then 1
hour in my test machine) scanning all the 32 TiB virtual address space
that contain only one mapped page. This makes ksmd essentially deadlocked
not able to deduplicate anything of value. With this patch ksmd walks
only the one mapped page and skips the rest of the 32 TiB virtual address
space, making the scan fast using little cpu.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 31dbd01f314364b70c2e026a5793a29a4da8a9dc Version: 31dbd01f314364b70c2e026a5793a29a4da8a9dc Version: 31dbd01f314364b70c2e026a5793a29a4da8a9dc Version: 31dbd01f314364b70c2e026a5793a29a4da8a9dc Version: 31dbd01f314364b70c2e026a5793a29a4da8a9dc Version: 31dbd01f314364b70c2e026a5793a29a4da8a9dc Version: 31dbd01f314364b70c2e026a5793a29a4da8a9dc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/ksm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "220cb3e425e17587f560335924cba9f16a842c64",
"status": "affected",
"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc",
"versionType": "git"
},
{
"lessThan": "10644e8839544dd5699c03c8fb1aeeefc41602fd",
"status": "affected",
"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc",
"versionType": "git"
},
{
"lessThan": "67137b715b7db28d82e4ed07a7092c2fa6ba7adb",
"status": "affected",
"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc",
"versionType": "git"
},
{
"lessThan": "9c2f8a9b68024e5ebb4813665845ec0a95f2eac3",
"status": "affected",
"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc",
"versionType": "git"
},
{
"lessThan": "74f78421c925b6d17695566f0c5941de57fd44b3",
"status": "affected",
"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc",
"versionType": "git"
},
{
"lessThan": "f62973e0767e4fcd6799087787fca08ca2a85b8c",
"status": "affected",
"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc",
"versionType": "git"
},
{
"lessThan": "f5548c318d6520d4fa3c5ed6003eeb710763cbc5",
"status": "affected",
"version": "31dbd01f314364b70c2e026a5793a29a4da8a9dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/ksm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksm: use range-walk function to jump over holes in scan_get_next_rmap_item\n\nCurrently, scan_get_next_rmap_item() walks every page address in a VMA to\nlocate mergeable pages. This becomes highly inefficient when scanning\nlarge virtual memory areas that contain mostly unmapped regions, causing\nksmd to use large amount of cpu without deduplicating much pages.\n\nThis patch replaces the per-address lookup with a range walk using\nwalk_page_range(). The range walker allows KSM to skip over entire\nunmapped holes in a VMA, avoiding unnecessary lookups. This problem was\npreviously discussed in [1].\n\nConsider the following test program which creates a 32 TiB mapping in the\nvirtual address space but only populates a single page:\n\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/mman.h\u003e\n\n/* 32 TiB */\nconst size_t size = 32ul * 1024 * 1024 * 1024 * 1024;\n\nint main() {\n char *area = mmap(NULL, size, PROT_READ | PROT_WRITE,\n MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0);\n\n if (area == MAP_FAILED) {\n perror(\"mmap() failed\\n\");\n return -1;\n }\n\n /* Populate a single page such that we get an anon_vma. */\n *area = 0;\n\n /* Enable KSM. */\n madvise(area, size, MADV_MERGEABLE);\n pause();\n return 0;\n}\n\n$ ./ksm-sparse \u0026\n$ echo 1 \u003e /sys/kernel/mm/ksm/run \n\nWithout this patch ksmd uses 100% of the cpu for a long time (more then 1\nhour in my test machine) scanning all the 32 TiB virtual address space\nthat contain only one mapped page. This makes ksmd essentially deadlocked\nnot able to deduplicate anything of value. With this patch ksmd walks\nonly the one mapped page and skips the rest of the 32 TiB virtual address\nspace, making the scan fast using little cpu."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:30.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/220cb3e425e17587f560335924cba9f16a842c64"
},
{
"url": "https://git.kernel.org/stable/c/10644e8839544dd5699c03c8fb1aeeefc41602fd"
},
{
"url": "https://git.kernel.org/stable/c/67137b715b7db28d82e4ed07a7092c2fa6ba7adb"
},
{
"url": "https://git.kernel.org/stable/c/9c2f8a9b68024e5ebb4813665845ec0a95f2eac3"
},
{
"url": "https://git.kernel.org/stable/c/74f78421c925b6d17695566f0c5941de57fd44b3"
},
{
"url": "https://git.kernel.org/stable/c/f62973e0767e4fcd6799087787fca08ca2a85b8c"
},
{
"url": "https://git.kernel.org/stable/c/f5548c318d6520d4fa3c5ed6003eeb710763cbc5"
}
],
"title": "ksm: use range-walk function to jump over holes in scan_get_next_rmap_item",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68211",
"datePublished": "2025-12-16T13:48:37.959Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2026-02-06T16:31:30.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68809 (GCVE-0-2025-68809)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: vfs: fix race on m_flags in vfs_cache
ksmbd maintains delete-on-close and pending-delete state in
ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under
inconsistent locking: some paths read and modify m_flags under
ci->m_lock while others do so without taking the lock at all.
Examples:
- ksmbd_query_inode_status() and __ksmbd_inode_close() use
ci->m_lock when checking or updating m_flags.
- ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()
used to read and modify m_flags without ci->m_lock.
This creates a potential data race on m_flags when multiple threads
open, close and delete the same file concurrently. In the worst case
delete-on-close and pending-delete bits can be lost or observed in an
inconsistent state, leading to confusing delete semantics (files that
stay on disk after delete-on-close, or files that disappear while still
in use).
Fix it by:
- Making ksmbd_query_inode_status() look at m_flags under ci->m_lock
after dropping inode_hash_lock.
- Adding ci->m_lock protection to all helpers that read or modify
m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).
- Keeping the existing ci->m_lock protection in __ksmbd_inode_close(),
and moving the actual unlink/xattr removal outside the lock.
This unifies the locking around m_flags and removes the data race while
preserving the existing delete-on-close behaviour.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5adad9727a815c26013b0d41cfee92ffa7d4037c",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "ccc78781041589ea383e61d5d7a1e9a31b210b93",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "ee63729760f5b61a66f345c54dc4c7514e62383d",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "991f8a79db99b14c48d20d2052c82d65b9186cad",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: vfs: fix race on m_flags in vfs_cache\n\nksmbd maintains delete-on-close and pending-delete state in\nksmbd_inode-\u003em_flags. In vfs_cache.c this field is accessed under\ninconsistent locking: some paths read and modify m_flags under\nci-\u003em_lock while others do so without taking the lock at all.\n\nExamples:\n\n - ksmbd_query_inode_status() and __ksmbd_inode_close() use\n ci-\u003em_lock when checking or updating m_flags.\n - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()\n used to read and modify m_flags without ci-\u003em_lock.\n\nThis creates a potential data race on m_flags when multiple threads\nopen, close and delete the same file concurrently. In the worst case\ndelete-on-close and pending-delete bits can be lost or observed in an\ninconsistent state, leading to confusing delete semantics (files that\nstay on disk after delete-on-close, or files that disappear while still\nin use).\n\nFix it by:\n\n - Making ksmbd_query_inode_status() look at m_flags under ci-\u003em_lock\n after dropping inode_hash_lock.\n - Adding ci-\u003em_lock protection to all helpers that read or modify\n m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).\n - Keeping the existing ci-\u003em_lock protection in __ksmbd_inode_close(),\n and moving the actual unlink/xattr removal outside the lock.\n\nThis unifies the locking around m_flags and removes the data race while\npreserving the existing delete-on-close behaviour."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:58.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c"
},
{
"url": "https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93"
},
{
"url": "https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d"
},
{
"url": "https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad"
}
],
"title": "ksmbd: vfs: fix race on m_flags in vfs_cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68809",
"datePublished": "2026-01-13T15:29:15.817Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:33:58.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71137 (GCVE-0-2025-71137)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
This patch ensures that the RX ring size (rx_pending) is not
set below the permitted length. This avoids UBSAN
shift-out-of-bounds errors when users passes small or zero
ring sizes via ethtool -G.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 Version: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 Version: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 Version: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 Version: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 Version: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 Version: d45d8979840d9c9ac93d3fe8cfc8e794b7228445 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d8dfa3abb9a845302e021cf9c92d941abbc011a",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "4cc4cfe4d23c883120b6f3d41145edbaa281f2ab",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "658caf3b8aad65f8b8e102670ca4f68c7030f655",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "b23a2e15589466a027c9baa3fb5813c9f6a6c6dc",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "aa743b0d98448282b2cb37356db8db2a48524624",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "442848e457f5a9f71a4e7e14d24d73dae278ebe3",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
},
{
"lessThan": "85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7",
"status": "affected",
"version": "d45d8979840d9c9ac93d3fe8cfc8e794b7228445",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: fix \"UBSAN: shift-out-of-bounds error\"\n\nThis patch ensures that the RX ring size (rx_pending) is not\nset below the permitted length. This avoids UBSAN\nshift-out-of-bounds errors when users passes small or zero\nring sizes via ethtool -G."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:34.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d8dfa3abb9a845302e021cf9c92d941abbc011a"
},
{
"url": "https://git.kernel.org/stable/c/4cc4cfe4d23c883120b6f3d41145edbaa281f2ab"
},
{
"url": "https://git.kernel.org/stable/c/658caf3b8aad65f8b8e102670ca4f68c7030f655"
},
{
"url": "https://git.kernel.org/stable/c/b23a2e15589466a027c9baa3fb5813c9f6a6c6dc"
},
{
"url": "https://git.kernel.org/stable/c/aa743b0d98448282b2cb37356db8db2a48524624"
},
{
"url": "https://git.kernel.org/stable/c/442848e457f5a9f71a4e7e14d24d73dae278ebe3"
},
{
"url": "https://git.kernel.org/stable/c/85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7"
}
],
"title": "octeontx2-pf: fix \"UBSAN: shift-out-of-bounds error\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71137",
"datePublished": "2026-01-14T15:07:51.264Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-02-09T08:35:34.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23410 (GCVE-0-2026-23410)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix race on rawdata dereference
There is a race condition that leads to a use-after-free situation:
because the rawdata inodes are not refcounted, an attacker can start
open()ing one of the rawdata files, and at the same time remove the
last reference to this rawdata (by removing the corresponding profile,
for example), which frees its struct aa_loaddata; as a result, when
seq_rawdata_open() is reached, i_private is a dangling pointer and
freed memory is accessed.
The rawdata inodes weren't refcounted to avoid a circular refcount and
were supposed to be held by the profile rawdata reference. However
during profile removal there is a window where the vfs and profile
destruction race, resulting in the use after free.
Fix this by moving to a double refcount scheme. Where the profile
refcount on rawdata is used to break the circular dependency. Allowing
for freeing of the rawdata once all inode references to the rawdata
are put.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5d5182cae40115c03933989473288e54afb39c7c Version: 5d5182cae40115c03933989473288e54afb39c7c Version: 5d5182cae40115c03933989473288e54afb39c7c Version: 5d5182cae40115c03933989473288e54afb39c7c Version: 5d5182cae40115c03933989473288e54afb39c7c Version: 5d5182cae40115c03933989473288e54afb39c7c Version: 5d5182cae40115c03933989473288e54afb39c7c Version: 5d5182cae40115c03933989473288e54afb39c7c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy_unpack.h",
"security/apparmor/policy.c",
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b8e77c7abab40e6de9ad9de730d77984a498840",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "d9d8560b9b7932f8cffc4c068c14289220900f79",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "6b6ba87579c7e7c669e0bec91823e7fb693bc5df",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "6ef1f2926c41ab96952d9696d55a052f1b3a9418",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "f9761add6d100962a23996cb68f3d6abdd4d1815",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "af782cc8871e3683ddd5a3cd2f7df526599863a9",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "763e838adc3c7ec5a7df2990ce84cad951e42721",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "a0b7091c4de45a7325c8780e6934a894f92ac86b",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy_unpack.h",
"security/apparmor/policy.c",
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race on rawdata dereference\n\nThere is a race condition that leads to a use-after-free situation:\nbecause the rawdata inodes are not refcounted, an attacker can start\nopen()ing one of the rawdata files, and at the same time remove the\nlast reference to this rawdata (by removing the corresponding profile,\nfor example), which frees its struct aa_loaddata; as a result, when\nseq_rawdata_open() is reached, i_private is a dangling pointer and\nfreed memory is accessed.\n\nThe rawdata inodes weren\u0027t refcounted to avoid a circular refcount and\nwere supposed to be held by the profile rawdata reference. However\nduring profile removal there is a window where the vfs and profile\ndestruction race, resulting in the use after free.\n\nFix this by moving to a double refcount scheme. Where the profile\nrefcount on rawdata is used to break the circular dependency. Allowing\nfor freeing of the rawdata once all inode references to the rawdata\nare put."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:45.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b8e77c7abab40e6de9ad9de730d77984a498840"
},
{
"url": "https://git.kernel.org/stable/c/d9d8560b9b7932f8cffc4c068c14289220900f79"
},
{
"url": "https://git.kernel.org/stable/c/6b6ba87579c7e7c669e0bec91823e7fb693bc5df"
},
{
"url": "https://git.kernel.org/stable/c/6ef1f2926c41ab96952d9696d55a052f1b3a9418"
},
{
"url": "https://git.kernel.org/stable/c/f9761add6d100962a23996cb68f3d6abdd4d1815"
},
{
"url": "https://git.kernel.org/stable/c/af782cc8871e3683ddd5a3cd2f7df526599863a9"
},
{
"url": "https://git.kernel.org/stable/c/763e838adc3c7ec5a7df2990ce84cad951e42721"
},
{
"url": "https://git.kernel.org/stable/c/a0b7091c4de45a7325c8780e6934a894f92ac86b"
}
],
"title": "apparmor: fix race on rawdata dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23410",
"datePublished": "2026-04-01T08:36:39.202Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-18T08:58:45.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68805 (GCVE-0-2025-68805)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix io-uring list corruption for terminated non-committed requests
When a request is terminated before it has been committed, the request
is not removed from the queue's list. This leaves a dangling list entry
that leads to list corruption and use-after-free issues.
Remove the request from the queue's list for terminated non-committed
requests.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6d1f1ace16d0e777a85f84267160052d3499b6e",
"status": "affected",
"version": "c090c8abae4b6b77a1bee116aa6c385456ebef96",
"versionType": "git"
},
{
"lessThan": "95c39eef7c2b666026c69ab5b30471da94ea2874",
"status": "affected",
"version": "c090c8abae4b6b77a1bee116aa6c385456ebef96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix io-uring list corruption for terminated non-committed requests\n\nWhen a request is terminated before it has been committed, the request\nis not removed from the queue\u0027s list. This leaves a dangling list entry\nthat leads to list corruption and use-after-free issues.\n\nRemove the request from the queue\u0027s list for terminated non-committed\nrequests."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:54.071Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6d1f1ace16d0e777a85f84267160052d3499b6e"
},
{
"url": "https://git.kernel.org/stable/c/95c39eef7c2b666026c69ab5b30471da94ea2874"
}
],
"title": "fuse: fix io-uring list corruption for terminated non-committed requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68805",
"datePublished": "2026-01-13T15:29:13.119Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:54.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68257 (GCVE-0-2025-68257)
Vulnerability from cvelistv5
Published
2025-12-16 14:44
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: check device's attached status in compat ioctls
Syzbot identified an issue [1] that crashes kernel, seemingly due to
unexistent callback dev->get_valid_routes(). By all means, this should
not occur as said callback must always be set to
get_zero_valid_routes() in __comedi_device_postconfig().
As the crash seems to appear exclusively in i386 kernels, at least,
judging from [1] reports, the blame lies with compat versions
of standard IOCTL handlers. Several of them are modified and
do not use comedi_unlocked_ioctl(). While functionality of these
ioctls essentially copy their original versions, they do not
have required sanity check for device's attached status. This,
in turn, leads to a possibility of calling select IOCTLs on a
device that has not been properly setup, even via COMEDI_DEVCONFIG.
Doing so on unconfigured devices means that several crucial steps
are missed, for instance, specifying dev->get_valid_routes()
callback.
Fix this somewhat crudely by ensuring device's attached status before
performing any ioctls, improving logic consistency between modern
and compat functions.
[1] Syzbot report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0
Call Trace:
<TASK>
get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]
parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401
do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594
compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]
comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273
__do_compat_sys_ioctl fs/ioctl.c:695 [inline]
__se_compat_sys_ioctl fs/ioctl.c:638 [inline]
__ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
...
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3fbfd2223a271426509830e6340c386a1054cfad Version: 3fbfd2223a271426509830e6340c386a1054cfad Version: 3fbfd2223a271426509830e6340c386a1054cfad Version: 3fbfd2223a271426509830e6340c386a1054cfad Version: 3fbfd2223a271426509830e6340c386a1054cfad Version: 3fbfd2223a271426509830e6340c386a1054cfad Version: 3fbfd2223a271426509830e6340c386a1054cfad Version: 3fbfd2223a271426509830e6340c386a1054cfad |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4836ba483a22ebd076c8faaf8293a7295fad4142",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "7141915bf0c41cb57d83cdbaf695b8c731b16b71",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "f13895c03620933a58907e3250016f087e39b78c",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "b975f91de5f8f63cf490f0393775cc795f8b0557",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "f6e629dfe6f590091c662a87c9fcf118b1c1c7dc",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "573b07d2e3d473ee7eb625ef87519922cf01168d",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "aac80e912de306815297a3b74f0426873ffa7dc3",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "0de7d9cd07a2671fa6089173bccc0b2afe6b93ee",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: check device\u0027s attached status in compat ioctls\n\nSyzbot identified an issue [1] that crashes kernel, seemingly due to\nunexistent callback dev-\u003eget_valid_routes(). By all means, this should\nnot occur as said callback must always be set to\nget_zero_valid_routes() in __comedi_device_postconfig().\n\nAs the crash seems to appear exclusively in i386 kernels, at least,\njudging from [1] reports, the blame lies with compat versions\nof standard IOCTL handlers. Several of them are modified and\ndo not use comedi_unlocked_ioctl(). While functionality of these\nioctls essentially copy their original versions, they do not\nhave required sanity check for device\u0027s attached status. This,\nin turn, leads to a possibility of calling select IOCTLs on a\ndevice that has not been properly setup, even via COMEDI_DEVCONFIG.\n\nDoing so on unconfigured devices means that several crucial steps\nare missed, for instance, specifying dev-\u003eget_valid_routes()\ncallback.\n\nFix this somewhat crudely by ensuring device\u0027s attached status before\nperforming any ioctls, improving logic consistency between modern\nand compat functions.\n\n[1] Syzbot report:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]\n parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401\n do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594\n compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]\n comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273\n __do_compat_sys_ioctl fs/ioctl.c:695 [inline]\n __se_compat_sys_ioctl fs/ioctl.c:638 [inline]\n __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:10.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4836ba483a22ebd076c8faaf8293a7295fad4142"
},
{
"url": "https://git.kernel.org/stable/c/7141915bf0c41cb57d83cdbaf695b8c731b16b71"
},
{
"url": "https://git.kernel.org/stable/c/f13895c03620933a58907e3250016f087e39b78c"
},
{
"url": "https://git.kernel.org/stable/c/b975f91de5f8f63cf490f0393775cc795f8b0557"
},
{
"url": "https://git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dc"
},
{
"url": "https://git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168d"
},
{
"url": "https://git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3"
},
{
"url": "https://git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93ee"
}
],
"title": "comedi: check device\u0027s attached status in compat ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68257",
"datePublished": "2025-12-16T14:44:59.535Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:10.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68736 (GCVE-0-2025-68736)
Vulnerability from cvelistv5
Published
2025-12-24 12:09
Modified
2026-04-02 11:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
landlock: Fix handling of disconnected directories
Disconnected files or directories can appear when they are visible and
opened from a bind mount, but have been renamed or moved from the source
of the bind mount in a way that makes them inaccessible from the mount
point (i.e. out of scope).
Previously, access rights tied to files or directories opened through a
disconnected directory were collected by walking the related hierarchy
down to the root of the filesystem, without taking into account the
mount point because it couldn't be found. This could lead to
inconsistent access results, potential access right widening, and
hard-to-debug renames, especially since such paths cannot be printed.
For a sandboxed task to create a disconnected directory, it needs to
have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to
the underlying source of the bind mount, and read access to the related
mount point. Because a sandboxed task cannot acquire more access
rights than those defined by its Landlock domain, this could lead to
inconsistent access rights due to missing permissions that should be
inherited from the mount point hierarchy, while inheriting permissions
from the filesystem hierarchy hidden by this mount point instead.
Landlock now handles files and directories opened from disconnected
directories by taking into account the filesystem hierarchy when the
mount point is not found in the hierarchy walk, and also always taking
into account the mount point from which these disconnected directories
were opened. This ensures that a rename is not allowed if it would
widen access rights [1].
The rationale is that, even if disconnected hierarchies might not be
visible or accessible to a sandboxed task, relying on the collected
access rights from them improves the guarantee that access rights will
not be widened during a rename because of the access right comparison
between the source and the destination (see LANDLOCK_ACCESS_FS_REFER).
It may look like this would grant more access on disconnected files and
directories, but the security policies are always enforced for all the
evaluated hierarchies. This new behavior should be less surprising to
users and safer from an access control perspective.
Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and
fix the related comment.
Because opened files have their access rights stored in the related file
security properties, there is no impact for disconnected or unlinked
files.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/landlock/errata/abi-1.h",
"security/landlock/fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "426d5b681b2f3339ff04da39b81d71176dc8c87c",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
},
{
"lessThan": "cadb28f8b3fd6908e3051e86158c65c3a8e1c907",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
},
{
"lessThan": "49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/landlock/errata/abi-1.h",
"security/landlock/fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Fix handling of disconnected directories\n\nDisconnected files or directories can appear when they are visible and\nopened from a bind mount, but have been renamed or moved from the source\nof the bind mount in a way that makes them inaccessible from the mount\npoint (i.e. out of scope).\n\nPreviously, access rights tied to files or directories opened through a\ndisconnected directory were collected by walking the related hierarchy\ndown to the root of the filesystem, without taking into account the\nmount point because it couldn\u0027t be found. This could lead to\ninconsistent access results, potential access right widening, and\nhard-to-debug renames, especially since such paths cannot be printed.\n\nFor a sandboxed task to create a disconnected directory, it needs to\nhave write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to\nthe underlying source of the bind mount, and read access to the related\nmount point. Because a sandboxed task cannot acquire more access\nrights than those defined by its Landlock domain, this could lead to\ninconsistent access rights due to missing permissions that should be\ninherited from the mount point hierarchy, while inheriting permissions\nfrom the filesystem hierarchy hidden by this mount point instead.\n\nLandlock now handles files and directories opened from disconnected\ndirectories by taking into account the filesystem hierarchy when the\nmount point is not found in the hierarchy walk, and also always taking\ninto account the mount point from which these disconnected directories\nwere opened. This ensures that a rename is not allowed if it would\nwiden access rights [1].\n\nThe rationale is that, even if disconnected hierarchies might not be\nvisible or accessible to a sandboxed task, relying on the collected\naccess rights from them improves the guarantee that access rights will\nnot be widened during a rename because of the access right comparison\nbetween the source and the destination (see LANDLOCK_ACCESS_FS_REFER).\nIt may look like this would grant more access on disconnected files and\ndirectories, but the security policies are always enforced for all the\nevaluated hierarchies. This new behavior should be less surprising to\nusers and safer from an access control perspective.\n\nRemove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and\nfix the related comment.\n\nBecause opened files have their access rights stored in the related file\nsecurity properties, there is no impact for disconnected or unlinked\nfiles."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:30:46.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/426d5b681b2f3339ff04da39b81d71176dc8c87c"
},
{
"url": "https://git.kernel.org/stable/c/cadb28f8b3fd6908e3051e86158c65c3a8e1c907"
},
{
"url": "https://git.kernel.org/stable/c/49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1"
}
],
"title": "landlock: Fix handling of disconnected directories",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68736",
"datePublished": "2025-12-24T12:09:35.081Z",
"dateReserved": "2025-12-24T10:30:51.029Z",
"dateUpdated": "2026-04-02T11:30:46.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71112 (GCVE-0-2025-71112)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: add VLAN id validation before using
Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. The length of
vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause
out-of-bounds memory access once the VLAN id is bigger than
or equal to VLAN_N_VID.
Therefore, VLAN id needs to be checked to ensure it is within
the range of VLAN_N_VID.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fe4144d47eef8453459c53a34e9d5940a3e6c219 Version: fe4144d47eef8453459c53a34e9d5940a3e6c219 Version: fe4144d47eef8453459c53a34e9d5940a3e6c219 Version: fe4144d47eef8453459c53a34e9d5940a3e6c219 Version: fe4144d47eef8453459c53a34e9d5940a3e6c219 Version: fe4144d47eef8453459c53a34e9d5940a3e6c219 Version: fe4144d47eef8453459c53a34e9d5940a3e6c219 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "42c91dfa772c57de141e5a55a187ac760c0fd7e1",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "00e56a7706e10b3d00a258d81fcb85a7e96372d6",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "b7b4f3bf118f51b67691a55b464f04452e5dc6fc",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "95cca255a7a5ad782639ff0298c2a486707d1046",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "91a51d01be5c9f82c12c2921ca5cceaa31b67128",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "6ef935e65902bfed53980ad2754b06a284ea8ac1",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add VLAN id validation before using\n\nCurrently, the VLAN id may be used without validation when\nreceive a VLAN configuration mailbox from VF. The length of\nvlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause\nout-of-bounds memory access once the VLAN id is bigger than\nor equal to VLAN_N_VID.\n\nTherefore, VLAN id needs to be checked to ensure it is within\nthe range of VLAN_N_VID."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:06.680Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8"
},
{
"url": "https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1"
},
{
"url": "https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6"
},
{
"url": "https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc"
},
{
"url": "https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046"
},
{
"url": "https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128"
},
{
"url": "https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1"
}
],
"title": "net: hns3: add VLAN id validation before using",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71112",
"datePublished": "2026-01-14T15:05:59.308Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:06.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68254 (GCVE-0-2025-68254)
Vulnerability from cvelistv5
Published
2025-12-16 14:44
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
The Extended Supported Rates (ESR) IE handling in OnBeacon accessed
*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these
offsets lie within the received frame buffer. A malformed beacon with
an ESR IE positioned at the end of the buffer could cause an
out-of-bounds read, potentially triggering a kernel panic.
Add a boundary check to ensure that the ESR IE body and the subsequent
bytes are within the limits of the frame before attempting to access
them.
This prevents OOB reads caused by malformed beacon frames.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c03cb111628924827351e19baa5b073e9b0d723d",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "bb5940193d813449540d8d3a82abc045be41f48a",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "c173ce97d3f0f0c0fefa39139d6d04ba60b5db22",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d1ab7f9cee22e7b8a528da9ac953e4193b96cda5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "38292407c2bb5b2b3131aaace4ecc7a829b40b76",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "bf323db1d883c209880bd92f3b12503e3531c3fc",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "502ddcc405b69fa92e0add6c1714d654504f6fd7",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing\n\nThe Extended Supported Rates (ESR) IE handling in OnBeacon accessed\n*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these\noffsets lie within the received frame buffer. A malformed beacon with\nan ESR IE positioned at the end of the buffer could cause an\nout-of-bounds read, potentially triggering a kernel panic.\n\nAdd a boundary check to ensure that the ESR IE body and the subsequent\nbytes are within the limits of the frame before attempting to access\nthem.\n\nThis prevents OOB reads caused by malformed beacon frames."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:07.247Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c03cb111628924827351e19baa5b073e9b0d723d"
},
{
"url": "https://git.kernel.org/stable/c/bb5940193d813449540d8d3a82abc045be41f48a"
},
{
"url": "https://git.kernel.org/stable/c/c173ce97d3f0f0c0fefa39139d6d04ba60b5db22"
},
{
"url": "https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5"
},
{
"url": "https://git.kernel.org/stable/c/38292407c2bb5b2b3131aaace4ecc7a829b40b76"
},
{
"url": "https://git.kernel.org/stable/c/bf323db1d883c209880bd92f3b12503e3531c3fc"
},
{
"url": "https://git.kernel.org/stable/c/502ddcc405b69fa92e0add6c1714d654504f6fd7"
}
],
"title": "staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68254",
"datePublished": "2025-12-16T14:44:57.204Z",
"dateReserved": "2025-12-16T13:41:40.266Z",
"dateUpdated": "2026-02-09T08:31:07.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40273 (GCVE-0-2025-40273)
Vulnerability from cvelistv5
Published
2025-12-06 21:50
Modified
2025-12-06 21:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: free copynotify stateid in nfs4_free_ol_stateid()
Typically copynotify stateid is freed either when parent's stateid
is being close/freed or in nfsd4_laundromat if the stateid hasn't
been used in a lease period.
However, in case when the server got an OPEN (which created
a parent stateid), followed by a COPY_NOTIFY using that stateid,
followed by a client reboot. New client instance while doing
CREATE_SESSION would force expire previous state of this client.
It leads to the open state being freed thru release_openowner->
nfs4_free_ol_stateid() and it finds that it still has copynotify
stateid associated with it. We currently print a warning and is
triggerred
WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]
This patch, instead, frees the associated copynotify stateid here.
If the parent stateid is freed (without freeing the copynotify
stateids associated with it), it leads to the list corruption
when laundromat ends up freeing the copynotify state later.
[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink
[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary)
[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN
[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024
[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]
[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200
[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200
[ 1626.861182] sp : ffff8000881d7a40
[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200
[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20
[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8
[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000
[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065
[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3
[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000
[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001
[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000
[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d
[ 1626.868167] Call trace:
[ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P)
[ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd]
[ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd]
[ 1626.869813] laundromat_main+0x24/0x60 [nfsd]
[ 1626.870231] process_one_work+0x584/0x1050
[ 1626.870595] worker_thread+0x4c4/0xc60
[ 1626.870893] kthread+0x2f8/0x398
[ 1626.871146] ret_from_fork+0x10/0x20
[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)
[ 1626.871892] SMP: stopping secondary CPUs
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 624322f1adc58acd0b69f77a6ddc764207e97241 Version: 624322f1adc58acd0b69f77a6ddc764207e97241 Version: 624322f1adc58acd0b69f77a6ddc764207e97241 Version: 624322f1adc58acd0b69f77a6ddc764207e97241 Version: 624322f1adc58acd0b69f77a6ddc764207e97241 Version: 624322f1adc58acd0b69f77a6ddc764207e97241 Version: 624322f1adc58acd0b69f77a6ddc764207e97241 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "935a2dc8928670bb2c37e21025331e61ec48ccf4",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "b114996a095da39e38410a0328d4a8aca8c36088",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "839f56f626723f36904764858467e7a3881b975d",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "d7be15a634aa3874827d0d3ea47452ee878b8df7",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "4aa17144d5abc3c756883e3a010246f0dba8b468",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: free copynotify stateid in nfs4_free_ol_stateid()\n\nTypically copynotify stateid is freed either when parent\u0027s stateid\nis being close/freed or in nfsd4_laundromat if the stateid hasn\u0027t\nbeen used in a lease period.\n\nHowever, in case when the server got an OPEN (which created\na parent stateid), followed by a COPY_NOTIFY using that stateid,\nfollowed by a client reboot. New client instance while doing\nCREATE_SESSION would force expire previous state of this client.\nIt leads to the open state being freed thru release_openowner-\u003e\nnfs4_free_ol_stateid() and it finds that it still has copynotify\nstateid associated with it. We currently print a warning and is\ntriggerred\n\nWARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]\n\nThis patch, instead, frees the associated copynotify stateid here.\n\nIf the parent stateid is freed (without freeing the copynotify\nstateids associated with it), it leads to the list corruption\nwhen laundromat ends up freeing the copynotify state later.\n\n[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink\n[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary)\n[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN\n[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024\n[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]\n[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.861182] sp : ffff8000881d7a40\n[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200\n[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20\n[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8\n[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000\n[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065\n[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3\n[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000\n[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001\n[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000\n[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d\n[ 1626.868167] Call trace:\n[ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P)\n[ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd]\n[ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd]\n[ 1626.869813] laundromat_main+0x24/0x60 [nfsd]\n[ 1626.870231] process_one_work+0x584/0x1050\n[ 1626.870595] worker_thread+0x4c4/0xc60\n[ 1626.870893] kthread+0x2f8/0x398\n[ 1626.871146] ret_from_fork+0x10/0x20\n[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)\n[ 1626.871892] SMP: stopping secondary CPUs"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:55.723Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/935a2dc8928670bb2c37e21025331e61ec48ccf4"
},
{
"url": "https://git.kernel.org/stable/c/b114996a095da39e38410a0328d4a8aca8c36088"
},
{
"url": "https://git.kernel.org/stable/c/839f56f626723f36904764858467e7a3881b975d"
},
{
"url": "https://git.kernel.org/stable/c/29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66"
},
{
"url": "https://git.kernel.org/stable/c/d7be15a634aa3874827d0d3ea47452ee878b8df7"
},
{
"url": "https://git.kernel.org/stable/c/f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb"
},
{
"url": "https://git.kernel.org/stable/c/4aa17144d5abc3c756883e3a010246f0dba8b468"
}
],
"title": "NFSD: free copynotify stateid in nfs4_free_ol_stateid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40273",
"datePublished": "2025-12-06T21:50:55.723Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-06T21:50:55.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68745 (GCVE-0-2025-68745)
Vulnerability from cvelistv5
Published
2025-12-24 12:09
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Clear cmds after chip reset
Commit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling
and host reset handling") caused two problems:
1. Commands sent to FW, after chip reset got stuck and never freed as FW
is not going to respond to them anymore.
2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a
("scsi: qla2xxx: Fix missed DMA unmap for aborted commands")
attempted to fix this, but introduced another bug under different
circumstances when two different CPUs were racing to call
qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in
dma_unmap_sg_attrs().
So revert "scsi: qla2xxx: Fix missed DMA unmap for aborted commands" and
partially revert "scsi: qla2xxx: target: Fix offline port handling and
host reset handling" at __qla2x00_abort_all_cmds.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c",
"drivers/scsi/qla2xxx/qla_target.c",
"drivers/scsi/qla2xxx/qla_target.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c1fb3fd05da3d55b8cbc42d7d660b313cbdc936",
"status": "affected",
"version": "aefed3e5548f28e5fecafda6604fcbc65484dbaa",
"versionType": "git"
},
{
"lessThan": "d46c69a087aa3d1513f7a78f871b80251ea0c1ae",
"status": "affected",
"version": "aefed3e5548f28e5fecafda6604fcbc65484dbaa",
"versionType": "git"
},
{
"status": "affected",
"version": "eb67b7a23d357f578578e737cb6412ae2384f352",
"versionType": "git"
},
{
"status": "affected",
"version": "ec9639d92c1e10d4bc667e842753d85e21683d5c",
"versionType": "git"
},
{
"status": "affected",
"version": "e6e957f552d5b696879a31e5b0e2a9120e1ea86e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c",
"drivers/scsi/qla2xxx/qla_target.c",
"drivers/scsi/qla2xxx/qla_target.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.245",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Clear cmds after chip reset\n\nCommit aefed3e5548f (\"scsi: qla2xxx: target: Fix offline port handling\nand host reset handling\") caused two problems:\n\n1. Commands sent to FW, after chip reset got stuck and never freed as FW\n is not going to respond to them anymore.\n\n2. BUG_ON(cmd-\u003esg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a\n (\"scsi: qla2xxx: Fix missed DMA unmap for aborted commands\")\n attempted to fix this, but introduced another bug under different\n circumstances when two different CPUs were racing to call\n qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in\n dma_unmap_sg_attrs().\n\nSo revert \"scsi: qla2xxx: Fix missed DMA unmap for aborted commands\" and\npartially revert \"scsi: qla2xxx: target: Fix offline port handling and\nhost reset handling\" at __qla2x00_abort_all_cmds."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:49.535Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c1fb3fd05da3d55b8cbc42d7d660b313cbdc936"
},
{
"url": "https://git.kernel.org/stable/c/d46c69a087aa3d1513f7a78f871b80251ea0c1ae"
}
],
"title": "scsi: qla2xxx: Clear cmds after chip reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68745",
"datePublished": "2025-12-24T12:09:41.517Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-02-09T08:32:49.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68768 (GCVE-0-2025-68768)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
inet: frags: flush pending skbs in fqdir_pre_exit()
We have been seeing occasional deadlocks on pernet_ops_rwsem since
September in NIPA. The stuck task was usually modprobe (often loading
a driver like ipvlan), trying to take the lock as a Writer.
lockdep does not track readers for rwsems so the read wasn't obvious
from the reports.
On closer inspection the Reader holding the lock was conntrack looping
forever in nf_conntrack_cleanup_net_list(). Based on past experience
with occasional NIPA crashes I looked thru the tests which run before
the crash and noticed that the crash follows ip_defrag.sh. An immediate
red flag. Scouring thru (de)fragmentation queues reveals skbs sitting
around, holding conntrack references.
The problem is that since conntrack depends on nf_defrag_ipv6,
nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its
netns exit hooks run _after_ conntrack's netns exit hook.
Flush all fragment queue SKBs during fqdir_pre_exit() to release
conntrack references before conntrack cleanup runs. Also flush
the queues in timer expiry handlers when they discover fqdir->dead
is set, in case packet sneaks in while we're running the pre_exit
flush.
The commit under Fixes is not exactly the culprit, but I think
previously the timer firing would eventually unblock the spinning
conntrack.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/inet_frag.h",
"include/net/ipv6_frag.h",
"net/ipv4/inet_fragment.c",
"net/ipv4/ip_fragment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c70df25214ac9b32b53e18e6ae3b8f073ffa6903",
"status": "affected",
"version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
"versionType": "git"
},
{
"lessThan": "006a5035b495dec008805df249f92c22c89c3d2e",
"status": "affected",
"version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/inet_frag.h",
"include/net/ipv6_frag.h",
"net/ipv4/inet_fragment.c",
"net/ipv4/ip_fragment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: flush pending skbs in fqdir_pre_exit()\n\nWe have been seeing occasional deadlocks on pernet_ops_rwsem since\nSeptember in NIPA. The stuck task was usually modprobe (often loading\na driver like ipvlan), trying to take the lock as a Writer.\nlockdep does not track readers for rwsems so the read wasn\u0027t obvious\nfrom the reports.\n\nOn closer inspection the Reader holding the lock was conntrack looping\nforever in nf_conntrack_cleanup_net_list(). Based on past experience\nwith occasional NIPA crashes I looked thru the tests which run before\nthe crash and noticed that the crash follows ip_defrag.sh. An immediate\nred flag. Scouring thru (de)fragmentation queues reveals skbs sitting\naround, holding conntrack references.\n\nThe problem is that since conntrack depends on nf_defrag_ipv6,\nnf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its\nnetns exit hooks run _after_ conntrack\u0027s netns exit hook.\n\nFlush all fragment queue SKBs during fqdir_pre_exit() to release\nconntrack references before conntrack cleanup runs. Also flush\nthe queues in timer expiry handlers when they discover fqdir-\u003edead\nis set, in case packet sneaks in while we\u0027re running the pre_exit\nflush.\n\nThe commit under Fixes is not exactly the culprit, but I think\npreviously the timer firing would eventually unblock the spinning\nconntrack."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:13.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903"
},
{
"url": "https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e"
}
],
"title": "inet: frags: flush pending skbs in fqdir_pre_exit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68768",
"datePublished": "2026-01-13T15:28:47.106Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:13.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71111 (GCVE-0-2025-71111)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
The macro FAN_FROM_REG evaluates its arguments multiple times. When used
in lockless contexts involving shared driver data, this leads to
Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
causing divide-by-zero errors.
Convert the macro to a static function. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Additionally, in store_fan_div, move the calculation of the minimum
limit inside the update lock. This ensures that the read-modify-write
sequence operates on consistent data.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9873964d6eb24bd0205394f9b791de9eddbcb855 Version: 9873964d6eb24bd0205394f9b791de9eddbcb855 Version: 9873964d6eb24bd0205394f9b791de9eddbcb855 Version: 9873964d6eb24bd0205394f9b791de9eddbcb855 Version: 9873964d6eb24bd0205394f9b791de9eddbcb855 Version: 9873964d6eb24bd0205394f9b791de9eddbcb855 Version: 9873964d6eb24bd0205394f9b791de9eddbcb855 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/w83791d.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3dceb68f6ad33156032ef4da21a93d84059cca6d",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "bf5b03227f2e6d4360004886d268f9df8993ef8f",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "f2b579a0c37c0df19603d719894a942a295f634a",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "f94800fbc26ccf7c81eb791707b038a57aa39a18",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "a9fb6e8835a22f5796c1182ed612daed3fd273af",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "c8cf0c2bdcccc6634b6915ff793b844e12436680",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
},
{
"lessThan": "670d7ef945d3a84683594429aea6ab2cdfa5ceb4",
"status": "affected",
"version": "9873964d6eb24bd0205394f9b791de9eddbcb855",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/w83791d.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (w83791d) Convert macros to functions to avoid TOCTOU\n\nThe macro FAN_FROM_REG evaluates its arguments multiple times. When used\nin lockless contexts involving shared driver data, this leads to\nTime-of-Check to Time-of-Use (TOCTOU) race conditions, potentially\ncausing divide-by-zero errors.\n\nConvert the macro to a static function. This guarantees that arguments\nare evaluated only once (pass-by-value), preventing the race\nconditions.\n\nAdditionally, in store_fan_div, move the calculation of the minimum\nlimit inside the update lock. This ensures that the read-modify-write\nsequence operates on consistent data.\n\nAdhere to the principle of minimal changes by only converting macros\nthat evaluate arguments multiple times and are used in lockless\ncontexts."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:05.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d"
},
{
"url": "https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f"
},
{
"url": "https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a"
},
{
"url": "https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18"
},
{
"url": "https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af"
},
{
"url": "https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680"
},
{
"url": "https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4"
}
],
"title": "hwmon: (w83791d) Convert macros to functions to avoid TOCTOU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71111",
"datePublished": "2026-01-14T15:05:58.649Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:05.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53421 (GCVE-0-2023-53421)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2026-02-06 16:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()
When blkg_alloc() is called to allocate a blkcg_gq structure
with the associated blkg_iostat_set's, there are 2 fields within
blkg_iostat_set that requires proper initialization - blkg & sync.
The former field was introduced by commit 3b8cc6298724 ("blk-cgroup:
Optimize blkcg_rstat_flush()") while the later one was introduced by
commit f73316482977 ("blk-cgroup: reimplement basic IO stats using
cgroup rstat").
Unfortunately those fields in the blkg_iostat_set's are not properly
re-initialized when they are cleared in v1's blkcg_reset_stats(). This
can lead to a kernel panic due to NULL pointer access of the blkg
pointer. The missing initialization of sync is less problematic and
can be a problem in a debug kernel due to missing lockdep initialization.
Fix these problems by re-initializing them after memory clearing.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:12:11.098390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:10.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0561aa6033dd181594116d705c41fc16e97161a2",
"status": "affected",
"version": "f73316482977ac401ac37245c9df48079d4e11f3",
"versionType": "git"
},
{
"lessThan": "892faa76be894d324bf48b12a55c7af7be2bad83",
"status": "affected",
"version": "f73316482977ac401ac37245c9df48079d4e11f3",
"versionType": "git"
},
{
"lessThan": "b0d26283af612b9e0cc3188b0b88ad7fdea447e8",
"status": "affected",
"version": "f73316482977ac401ac37245c9df48079d4e11f3",
"versionType": "git"
},
{
"lessThan": "abbce7f82613ea5eeefd0fc3c1c8e449b9cef2a2",
"status": "affected",
"version": "f73316482977ac401ac37245c9df48079d4e11f3",
"versionType": "git"
},
{
"lessThan": "3d2af77e31ade05ff7ccc3658c3635ec1bea0979",
"status": "affected",
"version": "f73316482977ac401ac37245c9df48079d4e11f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()\n\nWhen blkg_alloc() is called to allocate a blkcg_gq structure\nwith the associated blkg_iostat_set\u0027s, there are 2 fields within\nblkg_iostat_set that requires proper initialization - blkg \u0026 sync.\nThe former field was introduced by commit 3b8cc6298724 (\"blk-cgroup:\nOptimize blkcg_rstat_flush()\") while the later one was introduced by\ncommit f73316482977 (\"blk-cgroup: reimplement basic IO stats using\ncgroup rstat\").\n\nUnfortunately those fields in the blkg_iostat_set\u0027s are not properly\nre-initialized when they are cleared in v1\u0027s blkcg_reset_stats(). This\ncan lead to a kernel panic due to NULL pointer access of the blkg\npointer. The missing initialization of sync is less problematic and\ncan be a problem in a debug kernel due to missing lockdep initialization.\n\nFix these problems by re-initializing them after memory clearing."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:30:42.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0561aa6033dd181594116d705c41fc16e97161a2"
},
{
"url": "https://git.kernel.org/stable/c/892faa76be894d324bf48b12a55c7af7be2bad83"
},
{
"url": "https://git.kernel.org/stable/c/b0d26283af612b9e0cc3188b0b88ad7fdea447e8"
},
{
"url": "https://git.kernel.org/stable/c/abbce7f82613ea5eeefd0fc3c1c8e449b9cef2a2"
},
{
"url": "https://git.kernel.org/stable/c/3d2af77e31ade05ff7ccc3658c3635ec1bea0979"
}
],
"title": "blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53421",
"datePublished": "2025-09-18T16:04:04.526Z",
"dateReserved": "2025-09-17T14:54:09.741Z",
"dateUpdated": "2026-02-06T16:30:42.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68192 (GCVE-0-2025-68192)
Vulnerability from cvelistv5
Published
2025-12-16 13:43
Modified
2025-12-16 13:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
Raw IP packets have no MAC header, leaving skb->mac_header uninitialized.
This can trigger kernel panics on ARM64 when xfrm or other subsystems
access the offset due to strict alignment checks.
Initialize the MAC header to prevent such crashes.
This can trigger kernel panics on ARM when running IPsec over the
qmimux0 interface.
Example trace:
Internal error: Oops: 000000009600004f [#1] SMP
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1
Hardware name: LS1028A RDB Board (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : xfrm_input+0xde8/0x1318
lr : xfrm_input+0x61c/0x1318
sp : ffff800080003b20
Call trace:
xfrm_input+0xde8/0x1318
xfrm6_rcv+0x38/0x44
xfrm6_esp_rcv+0x48/0xa8
ip6_protocol_deliver_rcu+0x94/0x4b0
ip6_input_finish+0x44/0x70
ip6_input+0x44/0xc0
ipv6_rcv+0x6c/0x114
__netif_receive_skb_one_core+0x5c/0x8c
__netif_receive_skb+0x18/0x60
process_backlog+0x78/0x17c
__napi_poll+0x38/0x180
net_rx_action+0x168/0x2f0
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 Version: c6adf77953bcec0ad63d7782479452464e50f7a3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/qmi_wwan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d693c47fb902b988f5752182e4f7fbde5e6dcaf9",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "0aabccdcec1f4a36f95829ea2263f845bbc77223",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "4e6b9004f01d0fef5b19778399bc5bf55f8c2d71",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "bf527b80b80a282ab5bf1540546211fc35e5cd42",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "dd03780c29f87c26c0e0bb7e0db528c8109461fb",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "ae811175cea35b03ac6d7c910f43a82a43b9c3b3",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "8ab3b8f958d861a7f725a5be60769106509fbd69",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "e120f46768d98151ece8756ebd688b0e43dc8b29",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/qmi_wwan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup\n\nRaw IP packets have no MAC header, leaving skb-\u003emac_header uninitialized.\nThis can trigger kernel panics on ARM64 when xfrm or other subsystems\naccess the offset due to strict alignment checks.\n\nInitialize the MAC header to prevent such crashes.\n\nThis can trigger kernel panics on ARM when running IPsec over the\nqmimux0 interface.\n\nExample trace:\n\n Internal error: Oops: 000000009600004f [#1] SMP\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1\n Hardware name: LS1028A RDB Board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : xfrm_input+0xde8/0x1318\n lr : xfrm_input+0x61c/0x1318\n sp : ffff800080003b20\n Call trace:\n xfrm_input+0xde8/0x1318\n xfrm6_rcv+0x38/0x44\n xfrm6_esp_rcv+0x48/0xa8\n ip6_protocol_deliver_rcu+0x94/0x4b0\n ip6_input_finish+0x44/0x70\n ip6_input+0x44/0xc0\n ipv6_rcv+0x6c/0x114\n __netif_receive_skb_one_core+0x5c/0x8c\n __netif_receive_skb+0x18/0x60\n process_backlog+0x78/0x17c\n __napi_poll+0x38/0x180\n net_rx_action+0x168/0x2f0"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:43:18.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d693c47fb902b988f5752182e4f7fbde5e6dcaf9"
},
{
"url": "https://git.kernel.org/stable/c/0aabccdcec1f4a36f95829ea2263f845bbc77223"
},
{
"url": "https://git.kernel.org/stable/c/4e6b9004f01d0fef5b19778399bc5bf55f8c2d71"
},
{
"url": "https://git.kernel.org/stable/c/bf527b80b80a282ab5bf1540546211fc35e5cd42"
},
{
"url": "https://git.kernel.org/stable/c/dd03780c29f87c26c0e0bb7e0db528c8109461fb"
},
{
"url": "https://git.kernel.org/stable/c/ae811175cea35b03ac6d7c910f43a82a43b9c3b3"
},
{
"url": "https://git.kernel.org/stable/c/8ab3b8f958d861a7f725a5be60769106509fbd69"
},
{
"url": "https://git.kernel.org/stable/c/e120f46768d98151ece8756ebd688b0e43dc8b29"
}
],
"title": "net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68192",
"datePublished": "2025-12-16T13:43:18.858Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2025-12-16T13:43:18.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68819 (GCVE-0-2025-68819)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
check the size of the rlen value. Therefore, if it is set to a value
larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
Therefore, we need to add proper range checking to prevent this vuln.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 Version: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 Version: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 Version: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 Version: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 Version: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 Version: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dtv5100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2c293ea7b61f12cdaad1e99a5b4efc58c88960a",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "c2305b4c5fc15e20ac06c35738e0578eb4323750",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "61f214a878e96e2a8750bf96a98f78c658dba60c",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "4a54d8fcb093761e4c56eb211cf4e39bf8401fa1",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "fe3e129ab49806aaaa3f22067ebc75c2dfbe4658",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "ac92151ff2494130d9fc686055d6bbb9743a673e",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "b91e6aafe8d356086cc621bc03e35ba2299e4788",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dtv5100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()\n\nrlen value is a user-controlled value, but dtv5100_i2c_msg() does not\ncheck the size of the rlen value. Therefore, if it is set to a value\nlarger than sizeof(st-\u003edata), an out-of-bounds vuln occurs for st-\u003edata.\n\nTherefore, we need to add proper range checking to prevent this vuln."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:09.266Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a"
},
{
"url": "https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750"
},
{
"url": "https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c"
},
{
"url": "https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1"
},
{
"url": "https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658"
},
{
"url": "https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e"
},
{
"url": "https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788"
}
],
"title": "media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68819",
"datePublished": "2026-01-13T15:29:22.695Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:09.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23408 (GCVE-0-2026-23408)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: Fix double free of ns_name in aa_replace_profiles()
if ns_name is NULL after
1071 error = aa_unpack(udata, &lh, &ns_name);
and if ent->ns_name contains an ns_name in
1089 } else if (ent->ns_name) {
then ns_name is assigned the ent->ns_name
1095 ns_name = ent->ns_name;
however ent->ns_name is freed at
1262 aa_load_ent_free(ent);
and then again when freeing ns_name at
1270 kfree(ns_name);
Fix this by NULLing out ent->ns_name after it is transferred to ns_name
")
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a Version: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "c053ae381ce227577567d1ef10090ce7506d7a28",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "35f4caec1352054b9a61cfdf2bf1898073637aa0",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "86feeccd6b93ed94bd6655f30de80f163f8d5a45",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "7998ab3010d2317643f91828f1853d954ef31387",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "18b5233e860c294a847ee07869d93c0b8673a54b",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "5df0c44e8f5f619d3beb871207aded7c78414502",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix double free of ns_name in aa_replace_profiles()\n\nif ns_name is NULL after\n1071 error = aa_unpack(udata, \u0026lh, \u0026ns_name);\n\nand if ent-\u003ens_name contains an ns_name in\n1089 } else if (ent-\u003ens_name) {\n\nthen ns_name is assigned the ent-\u003ens_name\n1095 ns_name = ent-\u003ens_name;\n\nhowever ent-\u003ens_name is freed at\n1262 aa_load_ent_free(ent);\n\nand then again when freeing ns_name at\n1270 kfree(ns_name);\n\nFix this by NULLing out ent-\u003ens_name after it is transferred to ns_name\n\n\")"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:43.247Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689"
},
{
"url": "https://git.kernel.org/stable/c/c053ae381ce227577567d1ef10090ce7506d7a28"
},
{
"url": "https://git.kernel.org/stable/c/35f4caec1352054b9a61cfdf2bf1898073637aa0"
},
{
"url": "https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a"
},
{
"url": "https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45"
},
{
"url": "https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387"
},
{
"url": "https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b"
},
{
"url": "https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502"
}
],
"title": "apparmor: Fix double free of ns_name in aa_replace_profiles()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23408",
"datePublished": "2026-04-01T08:36:37.873Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-18T08:58:43.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40021 (GCVE-0-2025-40021)
Vulnerability from cvelistv5
Published
2025-10-24 12:24
Modified
2025-10-24 12:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: dynevent: Add a missing lockdown check on dynevent
Since dynamic_events interface on tracefs is compatible with
kprobe_events and uprobe_events, it should also check the lockdown
status and reject if it is set.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 Version: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 Version: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 Version: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 Version: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 Version: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 Version: 17911ff38aa58d3c95c07589dbf5d3564c4cf3c5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_dynevent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3ac1f4eaba58e57943efa3e8b8d71fa7aab0abf",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "0d41604d2d53c1abe27fefb54b37a8f6642a4d74",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "07b1f63b5f86765793fab44d3d4c2be681cddafb",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "3887f3814c0e770e6b73567fe0f83a2c01a6470c",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "573b1e39edfcb7b4eecde0f1664455a1f4462eee",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "b47c4e06687a5a7b6c6ef4bd303fcfe4430b26bb",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
},
{
"lessThan": "456c32e3c4316654f95f9d49c12cbecfb77d5660",
"status": "affected",
"version": "17911ff38aa58d3c95c07589dbf5d3564c4cf3c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_dynevent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: dynevent: Add a missing lockdown check on dynevent\n\nSince dynamic_events interface on tracefs is compatible with\nkprobe_events and uprobe_events, it should also check the lockdown\nstatus and reject if it is set."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:24:57.107Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3ac1f4eaba58e57943efa3e8b8d71fa7aab0abf"
},
{
"url": "https://git.kernel.org/stable/c/0d41604d2d53c1abe27fefb54b37a8f6642a4d74"
},
{
"url": "https://git.kernel.org/stable/c/07b1f63b5f86765793fab44d3d4c2be681cddafb"
},
{
"url": "https://git.kernel.org/stable/c/3887f3814c0e770e6b73567fe0f83a2c01a6470c"
},
{
"url": "https://git.kernel.org/stable/c/573b1e39edfcb7b4eecde0f1664455a1f4462eee"
},
{
"url": "https://git.kernel.org/stable/c/b47c4e06687a5a7b6c6ef4bd303fcfe4430b26bb"
},
{
"url": "https://git.kernel.org/stable/c/456c32e3c4316654f95f9d49c12cbecfb77d5660"
}
],
"title": "tracing: dynevent: Add a missing lockdown check on dynevent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40021",
"datePublished": "2025-10-24T12:24:57.107Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-24T12:24:57.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68265 (GCVE-0-2025-68265)
Vulnerability from cvelistv5
Published
2025-12-16 14:47
Modified
2026-04-11 12:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: fix admin request_queue lifetime
The namespaces can access the controller's admin request_queue, and
stale references on the namespaces may exist after tearing down the
controller. Ensure the admin request_queue is active by moving the
controller's 'put' to after all controller references have been released
to ensure no one is can access the request_queue. This fixes a reported
use-after-free bug:
BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0
Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287
CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
print_report+0xc4/0x620
? _raw_spin_lock_irqsave+0x70/0xb0
? _raw_read_unlock_irqrestore+0x30/0x30
? blk_queue_enter+0x41c/0x4a0
kasan_report+0xab/0xe0
? blk_queue_enter+0x41c/0x4a0
blk_queue_enter+0x41c/0x4a0
? __irq_work_queue_local+0x75/0x1d0
? blk_queue_start_drain+0x70/0x70
? irq_work_queue+0x18/0x20
? vprintk_emit.part.0+0x1cc/0x350
? wake_up_klogd_work_func+0x60/0x60
blk_mq_alloc_request+0x2b7/0x6b0
? __blk_mq_alloc_requests+0x1060/0x1060
? __switch_to+0x5b7/0x1060
nvme_submit_user_cmd+0xa9/0x330
nvme_user_cmd.isra.0+0x240/0x3f0
? force_sigsegv+0xe0/0xe0
? nvme_user_cmd64+0x400/0x400
? vfs_fileattr_set+0x9b0/0x9b0
? cgroup_update_frozen_flag+0x24/0x1c0
? cgroup_leave_frozen+0x204/0x330
? nvme_ioctl+0x7c/0x2c0
blkdev_ioctl+0x1a8/0x4d0
? blkdev_common_ioctl+0x1930/0x1930
? fdget+0x54/0x380
__x64_sys_ioctl+0x129/0x190
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f765f703b0b
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b
RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003
R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60
</TASK>
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4896491c497226022626c3acc46044fd182f943c",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "a505f0ba36ab24176c300d7ff56aff85c2977e6c",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "e8061d02b49c5c901980f58d91e96580e9a14acf",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "e7dac681790556c131854b97551337aa8042215b",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "03b3bcd319b3ab5182bc9aaa0421351572c78ac0",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix admin request_queue lifetime\n\nThe namespaces can access the controller\u0027s admin request_queue, and\nstale references on the namespaces may exist after tearing down the\ncontroller. Ensure the admin request_queue is active by moving the\ncontroller\u0027s \u0027put\u0027 to after all controller references have been released\nto ensure no one is can access the request_queue. This fixes a reported\nuse-after-free bug:\n\n BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0\n Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287\n CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4f/0x60\n print_report+0xc4/0x620\n ? _raw_spin_lock_irqsave+0x70/0xb0\n ? _raw_read_unlock_irqrestore+0x30/0x30\n ? blk_queue_enter+0x41c/0x4a0\n kasan_report+0xab/0xe0\n ? blk_queue_enter+0x41c/0x4a0\n blk_queue_enter+0x41c/0x4a0\n ? __irq_work_queue_local+0x75/0x1d0\n ? blk_queue_start_drain+0x70/0x70\n ? irq_work_queue+0x18/0x20\n ? vprintk_emit.part.0+0x1cc/0x350\n ? wake_up_klogd_work_func+0x60/0x60\n blk_mq_alloc_request+0x2b7/0x6b0\n ? __blk_mq_alloc_requests+0x1060/0x1060\n ? __switch_to+0x5b7/0x1060\n nvme_submit_user_cmd+0xa9/0x330\n nvme_user_cmd.isra.0+0x240/0x3f0\n ? force_sigsegv+0xe0/0xe0\n ? nvme_user_cmd64+0x400/0x400\n ? vfs_fileattr_set+0x9b0/0x9b0\n ? cgroup_update_frozen_flag+0x24/0x1c0\n ? cgroup_leave_frozen+0x204/0x330\n ? nvme_ioctl+0x7c/0x2c0\n blkdev_ioctl+0x1a8/0x4d0\n ? blkdev_common_ioctl+0x1930/0x1930\n ? fdget+0x54/0x380\n __x64_sys_ioctl+0x129/0x190\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f765f703b0b\n Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b\n RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003\n R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T12:45:42.048Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4896491c497226022626c3acc46044fd182f943c"
},
{
"url": "https://git.kernel.org/stable/c/a505f0ba36ab24176c300d7ff56aff85c2977e6c"
},
{
"url": "https://git.kernel.org/stable/c/e8061d02b49c5c901980f58d91e96580e9a14acf"
},
{
"url": "https://git.kernel.org/stable/c/e7dac681790556c131854b97551337aa8042215b"
},
{
"url": "https://git.kernel.org/stable/c/03b3bcd319b3ab5182bc9aaa0421351572c78ac0"
}
],
"title": "nvme: fix admin request_queue lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68265",
"datePublished": "2025-12-16T14:47:05.303Z",
"dateReserved": "2025-12-16T13:41:40.268Z",
"dateUpdated": "2026-04-11T12:45:42.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23124 (GCVE-0-2026-23124)
Vulnerability from cvelistv5
Published
2026-02-14 15:09
Modified
2026-02-14 15:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: annotate data-race in ndisc_router_discovery()
syzbot found that ndisc_router_discovery() could read and write
in6_dev->ra_mtu without holding a lock [1]
This looks fine, IFLA_INET6_RA_MTU is best effort.
Add READ_ONCE()/WRITE_ONCE() to document the race.
Note that we might also reject illegal MTU values
(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.
[1]
BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery
read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:
ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...
write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:
ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...
value changed: 0x00000000 -> 0xe5400659
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 Version: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 Version: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 Version: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 Version: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 Version: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4630897eb1a039b5d7b737b8dc9521d9d4b568b5",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "2619499169fb1c2ac4974b0f2d87767fb543582b",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "fad8f4ff7928f4d52a062ffdcffa484989c79c47",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "2a2b9d25f801afecf2f83cacce98afa8fd73e3c9",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "e3c1040252e598f7b4e33a42dc7c38519bc22428",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "9a063f96d87efc3a6cc667f8de096a3d38d74bb5",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: annotate data-race in ndisc_router_discovery()\n\nsyzbot found that ndisc_router_discovery() could read and write\nin6_dev-\u003era_mtu without holding a lock [1]\n\nThis looks fine, IFLA_INET6_RA_MTU is best effort.\n\nAdd READ_ONCE()/WRITE_ONCE() to document the race.\n\nNote that we might also reject illegal MTU values\n(mtu \u003c IPV6_MIN_MTU || mtu \u003e skb-\u003edev-\u003emtu) in a future patch.\n\n[1]\nBUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery\n\nread to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:\n ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nwrite to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:\n ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nvalue changed: 0x00000000 -\u003e 0xe5400659"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:54.043Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5"
},
{
"url": "https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b"
},
{
"url": "https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47"
},
{
"url": "https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9"
},
{
"url": "https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428"
},
{
"url": "https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5"
}
],
"title": "ipv6: annotate data-race in ndisc_router_discovery()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23124",
"datePublished": "2026-02-14T15:09:54.043Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:54.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68336 (GCVE-0-2025-68336)
Vulnerability from cvelistv5
Published
2025-12-22 16:14
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
locking/spinlock/debug: Fix data-race in do_raw_write_lock
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
do_raw_write_lock+0x120/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
do_raw_write_lock+0x88/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has
adressed most of these races, but seems to be not consistent/not complete.
>From do_raw_write_lock() only debug_write_lock_after() part has been
converted to WRITE_ONCE(), but not debug_write_lock_before() part.
Do it now.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1a365e822372ba24c9da0822bc583894f6f3d821 Version: 1a365e822372ba24c9da0822bc583894f6f3d821 Version: 1a365e822372ba24c9da0822bc583894f6f3d821 Version: 1a365e822372ba24c9da0822bc583894f6f3d821 Version: 1a365e822372ba24c9da0822bc583894f6f3d821 Version: 1a365e822372ba24c9da0822bc583894f6f3d821 Version: 1a365e822372ba24c9da0822bc583894f6f3d821 Version: 1a365e822372ba24c9da0822bc583894f6f3d821 Version: 3106fb78d3579c8e9c9b3040f7f7841981919624 Version: c0911024ff927ba5c4786b507004cb615be1d776 Version: 09226e5c38639437565af01e6009a9286a351d04 Version: c7673f01604fa722b9d7c1e29e17cec1b8ae09c5 Version: c120c3dbeb76305235c8e557f84d9e2d7d0f5933 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/locking/spinlock_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e5b2cf10844402054b52b489b525dc30cc16908",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "c228cb699a07a5f2d596d186bc5c314c99bb8bbf",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "93bd23524d63deb80fb85beb2e43fafeb1043d0f",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "39d2ef113416f1a4205b03fb0aa2e428d1412c77",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "b163a5e8c703201c905d6ec7920ed79d167e8442",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "16b3590c0e1e615757dade098c8fbc0d4f040c76",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "396a9270a7b90886be501611b13aa636f2e8c703",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "c14ecb555c3ee80eeb030a4e46d00e679537f03a",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"status": "affected",
"version": "3106fb78d3579c8e9c9b3040f7f7841981919624",
"versionType": "git"
},
{
"status": "affected",
"version": "c0911024ff927ba5c4786b507004cb615be1d776",
"versionType": "git"
},
{
"status": "affected",
"version": "09226e5c38639437565af01e6009a9286a351d04",
"versionType": "git"
},
{
"status": "affected",
"version": "c7673f01604fa722b9d7c1e29e17cec1b8ae09c5",
"versionType": "git"
},
{
"status": "affected",
"version": "c120c3dbeb76305235c8e557f84d9e2d7d0f5933",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/locking/spinlock_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/spinlock/debug: Fix data-race in do_raw_write_lock\n\nKCSAN reports:\n\nBUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock\n\nwrite (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:\n do_raw_write_lock+0x120/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nread to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:\n do_raw_write_lock+0x88/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nvalue changed: 0xffffffff -\u003e 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111\n\nCommit 1a365e822372 (\"locking/spinlock/debug: Fix various data races\") has\nadressed most of these races, but seems to be not consistent/not complete.\n\n\u003eFrom do_raw_write_lock() only debug_write_lock_after() part has been\nconverted to WRITE_ONCE(), but not debug_write_lock_before() part.\nDo it now."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:30.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e5b2cf10844402054b52b489b525dc30cc16908"
},
{
"url": "https://git.kernel.org/stable/c/c228cb699a07a5f2d596d186bc5c314c99bb8bbf"
},
{
"url": "https://git.kernel.org/stable/c/93bd23524d63deb80fb85beb2e43fafeb1043d0f"
},
{
"url": "https://git.kernel.org/stable/c/39d2ef113416f1a4205b03fb0aa2e428d1412c77"
},
{
"url": "https://git.kernel.org/stable/c/b163a5e8c703201c905d6ec7920ed79d167e8442"
},
{
"url": "https://git.kernel.org/stable/c/16b3590c0e1e615757dade098c8fbc0d4f040c76"
},
{
"url": "https://git.kernel.org/stable/c/396a9270a7b90886be501611b13aa636f2e8c703"
},
{
"url": "https://git.kernel.org/stable/c/c14ecb555c3ee80eeb030a4e46d00e679537f03a"
}
],
"title": "locking/spinlock/debug: Fix data-race in do_raw_write_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68336",
"datePublished": "2025-12-22T16:14:13.425Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-09T08:31:30.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23049 (GCVE-0-2026-23049)
Vulnerability from cvelistv5
Published
2026-02-04 16:04
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
The connector type for the DataImage SCF0700C48GGU18 panel is missing and
devm_drm_panel_bridge_add() requires connector type to be set. This leads
to a warning and a backtrace in the kernel log and panel does not work:
"
WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8
"
The warning is triggered by a check for valid connector type in
devm_drm_panel_bridge_add(). If there is no valid connector type
set for a panel, the warning is printed and panel is not added.
Fill in the missing connector type to fix the warning and make
the panel operational once again.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 Version: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 Version: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 Version: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 Version: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 Version: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 Version: 97ceb1fb08b6a2f78aa44a7c229ca280964860c0 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-simple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4c330b4499e7334ec6fce535574e09d55843d71",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "bb309377eece5317207d71fd833f99cca4727fbd",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "83e0d8d22e7ee3151af1951595104887eebed6ab",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "bc0b17bdba3838e9e17e7e9adc968384ac99938b",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "04218cd68d1502000823c8288f37b4f171dcdcae",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "f7940d3ec1dc6bf719eddc69d4b8e52cc2201896",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
},
{
"lessThan": "6ab3d4353bf75005eaa375677c9fed31148154d6",
"status": "affected",
"version": "97ceb1fb08b6a2f78aa44a7c229ca280964860c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-simple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel\n\nThe connector type for the DataImage SCF0700C48GGU18 panel is missing and\ndevm_drm_panel_bridge_add() requires connector type to be set. This leads\nto a warning and a backtrace in the kernel log and panel does not work:\n\"\nWARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8\n\"\nThe warning is triggered by a check for valid connector type in\ndevm_drm_panel_bridge_add(). If there is no valid connector type\nset for a panel, the warning is printed and panel is not added.\nFill in the missing connector type to fix the warning and make\nthe panel operational once again."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:45.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4c330b4499e7334ec6fce535574e09d55843d71"
},
{
"url": "https://git.kernel.org/stable/c/bb309377eece5317207d71fd833f99cca4727fbd"
},
{
"url": "https://git.kernel.org/stable/c/83e0d8d22e7ee3151af1951595104887eebed6ab"
},
{
"url": "https://git.kernel.org/stable/c/bc0b17bdba3838e9e17e7e9adc968384ac99938b"
},
{
"url": "https://git.kernel.org/stable/c/04218cd68d1502000823c8288f37b4f171dcdcae"
},
{
"url": "https://git.kernel.org/stable/c/f7940d3ec1dc6bf719eddc69d4b8e52cc2201896"
},
{
"url": "https://git.kernel.org/stable/c/6ab3d4353bf75005eaa375677c9fed31148154d6"
}
],
"title": "drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23049",
"datePublished": "2026-02-04T16:04:18.076Z",
"dateReserved": "2026-01-13T15:37:45.949Z",
"dateUpdated": "2026-02-09T08:37:45.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49635 (GCVE-0-2022-49635)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/selftests: fix subtraction overflow bug
On some machines hole_end can be small enough to cause subtraction
overflow. On the other side (addr + 2 * min_alignment) can overflow
in case of mock tests. This patch should handle both cases.
(cherry picked from commit ab3edc679c552a466e4bf0b11af3666008bd65a2)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/selftests/i915_gem_gtt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8997d2d6b8d764e12489f1af2a1ce1d7384ca2a",
"status": "affected",
"version": "e1c5f754067b594de58d387aa5873dec83b6c9fd",
"versionType": "git"
},
{
"lessThan": "333991c4e66b3d4b5613315f18016da80344f659",
"status": "affected",
"version": "e1c5f754067b594de58d387aa5873dec83b6c9fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/selftests/i915_gem_gtt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/selftests: fix subtraction overflow bug\n\nOn some machines hole_end can be small enough to cause subtraction\noverflow. On the other side (addr + 2 * min_alignment) can overflow\nin case of mock tests. This patch should handle both cases.\n\n(cherry picked from commit ab3edc679c552a466e4bf0b11af3666008bd65a2)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:16.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8997d2d6b8d764e12489f1af2a1ce1d7384ca2a"
},
{
"url": "https://git.kernel.org/stable/c/333991c4e66b3d4b5613315f18016da80344f659"
}
],
"title": "drm/i915/selftests: fix subtraction overflow bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49635",
"datePublished": "2025-02-26T02:23:45.744Z",
"dateReserved": "2025-02-26T02:21:30.429Z",
"dateUpdated": "2025-05-04T08:42:16.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40315 (GCVE-0-2025-40315)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
A race condition occurs when ffs_func_eps_enable() runs concurrently
with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
to a NULL pointer dereference when accessing epfile->ep in
ffs_func_eps_enable() after successful usb_ep_enable().
The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
ffs_data_close() functions, and its modification is protected by the
spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
is also protected by ffs->eps_lock.
Thus, add NULL pointer handling for ffs->epfiles in the
ffs_func_eps_enable() function to fix issues
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c9fc422c9a43e3d58d246334a71f3390401781dc Version: 0042178a69eb77a979e36a50dcce9794a3140ef8 Version: 72a8aee863af099d4434314c4536d6c9a61dcf3c Version: ebe2b1add1055b903e2acd86b290a85297edc0b3 Version: ebe2b1add1055b903e2acd86b290a85297edc0b3 Version: ebe2b1add1055b903e2acd86b290a85297edc0b3 Version: ebe2b1add1055b903e2acd86b290a85297edc0b3 Version: ebe2b1add1055b903e2acd86b290a85297edc0b3 Version: 32048f4be071f9a6966744243f1786f45bb22dc2 Version: cfe5f6fd335d882bcc829a1c8a7d462a455c626e Version: 3e078b18753669615301d946297bafd69294ad2c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b00d2572c16e8e59e979960d3383c2ae9cebd195",
"status": "affected",
"version": "c9fc422c9a43e3d58d246334a71f3390401781dc",
"versionType": "git"
},
{
"lessThan": "1c0dbd240be3f87cac321b14e17979b7e9cb6a8f",
"status": "affected",
"version": "0042178a69eb77a979e36a50dcce9794a3140ef8",
"versionType": "git"
},
{
"lessThan": "9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272",
"status": "affected",
"version": "72a8aee863af099d4434314c4536d6c9a61dcf3c",
"versionType": "git"
},
{
"lessThan": "c53e90563bc148e4e0ad09fe130ba2246d426ea6",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "fc1141a530dfc91f0ee19b7f422a2d24829584bc",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "d62b808d5c68a931ad0849a00a5e3be3dd7e0019",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "30880e9df27332403dd638a82c27921134b3630b",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"status": "affected",
"version": "32048f4be071f9a6966744243f1786f45bb22dc2",
"versionType": "git"
},
{
"status": "affected",
"version": "cfe5f6fd335d882bcc829a1c8a7d462a455c626e",
"versionType": "git"
},
{
"status": "affected",
"version": "3e078b18753669615301d946297bafd69294ad2c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.267",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.230",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix epfile null pointer access after ep enable.\n\nA race condition occurs when ffs_func_eps_enable() runs concurrently\nwith ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()\nsets ffs-\u003eepfiles to NULL before resetting ffs-\u003eeps_count to 0, leading\nto a NULL pointer dereference when accessing epfile-\u003eep in\nffs_func_eps_enable() after successful usb_ep_enable().\n\nThe ffs-\u003eepfiles pointer is set to NULL in both ffs_data_clear() and\nffs_data_close() functions, and its modification is protected by the\nspinlock ffs-\u003eeps_lock. And the whole ffs_func_eps_enable() function\nis also protected by ffs-\u003eeps_lock.\n\nThus, add NULL pointer handling for ffs-\u003eepfiles in the\nffs_func_eps_enable() function to fix issues"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:33.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b00d2572c16e8e59e979960d3383c2ae9cebd195"
},
{
"url": "https://git.kernel.org/stable/c/1c0dbd240be3f87cac321b14e17979b7e9cb6a8f"
},
{
"url": "https://git.kernel.org/stable/c/9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272"
},
{
"url": "https://git.kernel.org/stable/c/c53e90563bc148e4e0ad09fe130ba2246d426ea6"
},
{
"url": "https://git.kernel.org/stable/c/fc1141a530dfc91f0ee19b7f422a2d24829584bc"
},
{
"url": "https://git.kernel.org/stable/c/d62b808d5c68a931ad0849a00a5e3be3dd7e0019"
},
{
"url": "https://git.kernel.org/stable/c/30880e9df27332403dd638a82c27921134b3630b"
},
{
"url": "https://git.kernel.org/stable/c/cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4"
}
],
"title": "usb: gadget: f_fs: Fix epfile null pointer access after ep enable.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40315",
"datePublished": "2025-12-08T00:46:41.896Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:33.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23058 (GCVE-0-2026-23058)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In ems_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
ems_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in ems_usb_close().
Fix the memory leak by anchoring the URB in the
ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 702171adeed3607ee9603ec30ce081411e36ae42 Version: 702171adeed3607ee9603ec30ce081411e36ae42 Version: 702171adeed3607ee9603ec30ce081411e36ae42 Version: 702171adeed3607ee9603ec30ce081411e36ae42 Version: 702171adeed3607ee9603ec30ce081411e36ae42 Version: 702171adeed3607ee9603ec30ce081411e36ae42 Version: 702171adeed3607ee9603ec30ce081411e36ae42 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/ems_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2c71030dc464d437110bcfb367c493fd402bddb",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "f48eabd15194b216030b32445f44230df95f5fe0",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "61e6d3674c3d1da1475dc207b3e75c55d678d18e",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "68c62b3e53901846b5f68c5a8bade72a5d9c0b87",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "0ce73a0eb5a27070957b67fd74059b6da89cc516",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/ems_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn ems_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev-\u003erx_submitted anchor and submitted. In the complete callback\nems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nems_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(\u0026dev-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in ems_usb_close().\n\nFix the memory leak by anchoring the URB in the\nems_usb_read_bulk_callback() to the dev-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:56.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddb"
},
{
"url": "https://git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0"
},
{
"url": "https://git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18e"
},
{
"url": "https://git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8"
},
{
"url": "https://git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a"
},
{
"url": "https://git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87"
},
{
"url": "https://git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516"
}
],
"title": "can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23058",
"datePublished": "2026-02-04T16:07:41.337Z",
"dateReserved": "2026-01-13T15:37:45.952Z",
"dateUpdated": "2026-02-09T08:37:56.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68227 (GCVE-0-2025-68227)
Vulnerability from cvelistv5
Published
2025-12-16 13:57
Modified
2025-12-16 13:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Fix proto fallback detection with BPF
The sockmap feature allows bpf syscall from userspace, or based
on bpf sockops, replacing the sk_prot of sockets during protocol stack
processing with sockmap's custom read/write interfaces.
'''
tcp_rcv_state_process()
syn_recv_sock()/subflow_syn_recv_sock()
tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
bpf_skops_established <== sockops
bpf_sock_map_update(sk) <== call bpf helper
tcp_bpf_update_proto() <== update sk_prot
'''
When the server has MPTCP enabled but the client sends a TCP SYN
without MPTCP, subflow_syn_recv_sock() performs a fallback on the
subflow, replacing the subflow sk's sk_prot with the native sk_prot.
'''
subflow_syn_recv_sock()
subflow_ulp_fallback()
subflow_drop_ctx()
mptcp_subflow_ops_undo_override()
'''
Then, this subflow can be normally used by sockmap, which replaces the
native sk_prot with sockmap's custom sk_prot. The issue occurs when the
user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
Here, it uses sk->sk_prot to compare with the native sk_prot, but this
is incorrect when sockmap is used, as we may incorrectly set
sk->sk_socket->ops.
This fix uses the more generic sk_family for the comparison instead.
Additionally, this also prevents a WARNING from occurring:
result from ./scripts/decode_stacktrace.sh:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
(net/mptcp/protocol.c:4005)
Modules linked in:
...
PKRU: 55555554
Call Trace:
<TASK>
do_accept (net/socket.c:1989)
__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
__x64_sys_accept (net/socket.c:2067)
x64_sys_call (arch/x86/entry/syscall_64.c:41)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f87ac92b83d
---[ end trace 0000000000000000 ]---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "7ee8f015eb47907745e2070184a8ab1e442ac3c4",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "344974ea1a3ca30e4920687b0091bda4438cebdb",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "037cc50589643342d69185b663ecf9d26cce91e8",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "9b1980b6f23fa30bf12add19f37c7458625099eb",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "c77b3b79a92e3345aa1ee296180d1af4e7031f8f",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix proto fallback detection with BPF\n\nThe sockmap feature allows bpf syscall from userspace, or based\non bpf sockops, replacing the sk_prot of sockets during protocol stack\nprocessing with sockmap\u0027s custom read/write interfaces.\n\u0027\u0027\u0027\ntcp_rcv_state_process()\n syn_recv_sock()/subflow_syn_recv_sock()\n tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)\n bpf_skops_established \u003c== sockops\n bpf_sock_map_update(sk) \u003c== call bpf helper\n tcp_bpf_update_proto() \u003c== update sk_prot\n\u0027\u0027\u0027\n\nWhen the server has MPTCP enabled but the client sends a TCP SYN\nwithout MPTCP, subflow_syn_recv_sock() performs a fallback on the\nsubflow, replacing the subflow sk\u0027s sk_prot with the native sk_prot.\n\u0027\u0027\u0027\nsubflow_syn_recv_sock()\n subflow_ulp_fallback()\n subflow_drop_ctx()\n mptcp_subflow_ops_undo_override()\n\u0027\u0027\u0027\n\nThen, this subflow can be normally used by sockmap, which replaces the\nnative sk_prot with sockmap\u0027s custom sk_prot. The issue occurs when the\nuser executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().\nHere, it uses sk-\u003esk_prot to compare with the native sk_prot, but this\nis incorrect when sockmap is used, as we may incorrectly set\nsk-\u003esk_socket-\u003eops.\n\nThis fix uses the more generic sk_family for the comparison instead.\n\nAdditionally, this also prevents a WARNING from occurring:\n\nresult from ./scripts/decode_stacktrace.sh:\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \\\n(net/mptcp/protocol.c:4005)\nModules linked in:\n...\n\nPKRU: 55555554\nCall Trace:\n\u003cTASK\u003e\ndo_accept (net/socket.c:1989)\n__sys_accept4 (net/socket.c:2028 net/socket.c:2057)\n__x64_sys_accept (net/socket.c:2067)\nx64_sys_call (arch/x86/entry/syscall_64.c:41)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f87ac92b83d\n\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:20.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c"
},
{
"url": "https://git.kernel.org/stable/c/7ee8f015eb47907745e2070184a8ab1e442ac3c4"
},
{
"url": "https://git.kernel.org/stable/c/344974ea1a3ca30e4920687b0091bda4438cebdb"
},
{
"url": "https://git.kernel.org/stable/c/037cc50589643342d69185b663ecf9d26cce91e8"
},
{
"url": "https://git.kernel.org/stable/c/9b1980b6f23fa30bf12add19f37c7458625099eb"
},
{
"url": "https://git.kernel.org/stable/c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00"
},
{
"url": "https://git.kernel.org/stable/c/c77b3b79a92e3345aa1ee296180d1af4e7031f8f"
}
],
"title": "mptcp: Fix proto fallback detection with BPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68227",
"datePublished": "2025-12-16T13:57:20.027Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2025-12-16T13:57:20.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71121 (GCVE-0-2025-71121)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Do not reprogram affinitiy on ASP chip
The ASP chip is a very old variant of the GSP chip and is used e.g. in
HP 730 workstations. When trying to reprogram the affinity it will crash
with a HPMC as the relevant registers don't seem to be at the usual
location. Let's avoid the crash by checking the sversion. Also note,
that reprogramming isn't necessary either, as the HP730 is a just a
single-CPU machine.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f7c35220305f273bddc0bdaf1e453b4ca280f145 Version: f77f482ec31a1f38eb38079622ca367b4b7d7442 Version: 939fc856676c266c3bc347c1c1661872a3725c0f Version: 939fc856676c266c3bc347c1c1661872a3725c0f Version: 939fc856676c266c3bc347c1c1661872a3725c0f Version: 939fc856676c266c3bc347c1c1661872a3725c0f Version: 939fc856676c266c3bc347c1c1661872a3725c0f Version: 52b66c46bb9f5fb270673327c41dec50171939c1 Version: 3940ecfccfffec8385b64551fd73a12c02049437 Version: bab8e3b4f68ac393c42da73d0bce891d281ded55 Version: ff342de194ad311f905ce0b6b73db48db802e224 Version: ef24e0a68b59ea8f59fedf5a9881fd9cf9f27370 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/parisc/gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "845a92b74cf7a730200532ecb4482981cec9d006",
"status": "affected",
"version": "f7c35220305f273bddc0bdaf1e453b4ca280f145",
"versionType": "git"
},
{
"lessThan": "7a146f34e5be96330467397c9fd9d3d851b2cbbe",
"status": "affected",
"version": "f77f482ec31a1f38eb38079622ca367b4b7d7442",
"versionType": "git"
},
{
"lessThan": "4d0858bbeea12a50bfb32137f74d4b74917ebadd",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "e09fd2eb6d4c993ee9eaae556cb51e30ec1042df",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "60560d13ff368415c96a0c1247bea16d427c0641",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "c8f810e20f4bbe50b49f73429d9fa6efad00623e",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"lessThan": "dca7da244349eef4d78527cafc0bf80816b261f5",
"status": "affected",
"version": "939fc856676c266c3bc347c1c1661872a3725c0f",
"versionType": "git"
},
{
"status": "affected",
"version": "52b66c46bb9f5fb270673327c41dec50171939c1",
"versionType": "git"
},
{
"status": "affected",
"version": "3940ecfccfffec8385b64551fd73a12c02049437",
"versionType": "git"
},
{
"status": "affected",
"version": "bab8e3b4f68ac393c42da73d0bce891d281ded55",
"versionType": "git"
},
{
"status": "affected",
"version": "ff342de194ad311f905ce0b6b73db48db802e224",
"versionType": "git"
},
{
"status": "affected",
"version": "ef24e0a68b59ea8f59fedf5a9881fd9cf9f27370",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/parisc/gsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Do not reprogram affinitiy on ASP chip\n\nThe ASP chip is a very old variant of the GSP chip and is used e.g. in\nHP 730 workstations. When trying to reprogram the affinity it will crash\nwith a HPMC as the relevant registers don\u0027t seem to be at the usual\nlocation. Let\u0027s avoid the crash by checking the sversion. Also note,\nthat reprogramming isn\u0027t necessary either, as the HP730 is a just a\nsingle-CPU machine."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:16.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/845a92b74cf7a730200532ecb4482981cec9d006"
},
{
"url": "https://git.kernel.org/stable/c/7a146f34e5be96330467397c9fd9d3d851b2cbbe"
},
{
"url": "https://git.kernel.org/stable/c/4d0858bbeea12a50bfb32137f74d4b74917ebadd"
},
{
"url": "https://git.kernel.org/stable/c/e09fd2eb6d4c993ee9eaae556cb51e30ec1042df"
},
{
"url": "https://git.kernel.org/stable/c/60560d13ff368415c96a0c1247bea16d427c0641"
},
{
"url": "https://git.kernel.org/stable/c/c8f810e20f4bbe50b49f73429d9fa6efad00623e"
},
{
"url": "https://git.kernel.org/stable/c/dca7da244349eef4d78527cafc0bf80816b261f5"
}
],
"title": "parisc: Do not reprogram affinitiy on ASP chip",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71121",
"datePublished": "2026-01-14T15:06:07.871Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:16.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71132 (GCVE-0-2025-71132)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc91x: fix broken irq-context in PREEMPT_RT
When smc91x.c is built with PREEMPT_RT, the following splat occurs
in FVP_RevC:
[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
[ 13.062266] C
** replaying previous printk message **
[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
[ 13.062353] Hardware name: , BIOS
[ 13.062382] Workqueue: mld mld_ifc_work
[ 13.062469] Call trace:
[ 13.062494] show_stack+0x24/0x40 (C)
[ 13.062602] __dump_stack+0x28/0x48
[ 13.062710] dump_stack_lvl+0x7c/0xb0
[ 13.062818] dump_stack+0x18/0x34
[ 13.062926] process_scheduled_works+0x294/0x450
[ 13.063043] worker_thread+0x260/0x3d8
[ 13.063124] kthread+0x1c4/0x228
[ 13.063235] ret_from_fork+0x10/0x20
This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 342a93247e0837101f27bbcca26f402902df98dc Version: 342a93247e0837101f27bbcca26f402902df98dc Version: 342a93247e0837101f27bbcca26f402902df98dc Version: 342a93247e0837101f27bbcca26f402902df98dc Version: 342a93247e0837101f27bbcca26f402902df98dc Version: 342a93247e0837101f27bbcca26f402902df98dc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/smsc/smc91x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c4cb705e733250d13243f6a69b8b5a92e39b9f6",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "9d222141b00156509d67d80c771fbefa92c43ace",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "ef277ae121b3249c99994652210a326b52d527b0",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "36561b86cb2501647662cfaf91286dd6973804a6",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
},
{
"lessThan": "6402078bd9d1ed46e79465e1faaa42e3458f8a33",
"status": "affected",
"version": "342a93247e0837101f27bbcca26f402902df98dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/smsc/smc91x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc91x: fix broken irq-context in PREEMPT_RT\n\nWhen smc91x.c is built with PREEMPT_RT, the following splat occurs\nin FVP_RevC:\n\n[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000\n[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]\n[ 13.062137] preempt=0x00000000 lock=0-\u003e0 RCU=0-\u003e1 workfn=mld_ifc_work\n[ 13.062266] C\n** replaying previous printk message **\n[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}\n[ 13.062353] Hardware name: , BIOS\n[ 13.062382] Workqueue: mld mld_ifc_work\n[ 13.062469] Call trace:\n[ 13.062494] show_stack+0x24/0x40 (C)\n[ 13.062602] __dump_stack+0x28/0x48\n[ 13.062710] dump_stack_lvl+0x7c/0xb0\n[ 13.062818] dump_stack+0x18/0x34\n[ 13.062926] process_scheduled_works+0x294/0x450\n[ 13.063043] worker_thread+0x260/0x3d8\n[ 13.063124] kthread+0x1c4/0x228\n[ 13.063235] ret_from_fork+0x10/0x20\n\nThis happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,\nbut smc_special_unlock() does not restore IRQs on PREEMPT_RT.\nThe reason is that smc_special_unlock() calls spin_unlock_irqrestore(),\nand rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke\nrcu_read_unlock() through __local_bh_enable_ip() when current-\u003esoftirq_disable_cnt becomes zero.\n\nTo address this issue, replace smc_special_trylock() with spin_trylock_irqsave()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:28.371Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c4cb705e733250d13243f6a69b8b5a92e39b9f6"
},
{
"url": "https://git.kernel.org/stable/c/9d222141b00156509d67d80c771fbefa92c43ace"
},
{
"url": "https://git.kernel.org/stable/c/ef277ae121b3249c99994652210a326b52d527b0"
},
{
"url": "https://git.kernel.org/stable/c/36561b86cb2501647662cfaf91286dd6973804a6"
},
{
"url": "https://git.kernel.org/stable/c/b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3"
},
{
"url": "https://git.kernel.org/stable/c/6402078bd9d1ed46e79465e1faaa42e3458f8a33"
}
],
"title": "smc91x: fix broken irq-context in PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71132",
"datePublished": "2026-01-14T15:07:47.860Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:28.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23001 (GCVE-0-2026-23001)
Vulnerability from cvelistv5
Published
2026-01-25 14:36
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix possible UAF in macvlan_forward_source()
Add RCU protection on (struct macvlan_source_entry)->vlan.
Whenever macvlan_hash_del_source() is called, we must clear
entry->vlan pointer before RCU grace period starts.
This allows macvlan_forward_source() to skip over
entries queued for freeing.
Note that macvlan_dev are already RCU protected, as they
are embedded in a standard netdev (netdev_priv(ndev)).
https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 Version: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 Version: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 Version: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 Version: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 Version: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 Version: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8133e85b8a3ec9f10d861e0002ec6037256e987e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "484919832e2db6ce1e8add92c469e5d459a516b5",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "232afc74a6dde0fe1830988e5827921f5ec9bb3f",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "15f6faf36e162532bec5cc05eb3fc622108bf2ed",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "8518712a2ca952d6da2238c6f0a16b4ae5ea3f13",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "6dbead9c7677186f22b7981dd085a0feec1f038e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "7470a7a63dc162f07c26dbf960e41ee1e248d80e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix possible UAF in macvlan_forward_source()\n\nAdd RCU protection on (struct macvlan_source_entry)-\u003evlan.\n\nWhenever macvlan_hash_del_source() is called, we must clear\nentry-\u003evlan pointer before RCU grace period starts.\n\nThis allows macvlan_forward_source() to skip over\nentries queued for freeing.\n\nNote that macvlan_dev are already RCU protected, as they\nare embedded in a standard netdev (netdev_priv(ndev)).\n\nhttps: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:53.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8133e85b8a3ec9f10d861e0002ec6037256e987e"
},
{
"url": "https://git.kernel.org/stable/c/484919832e2db6ce1e8add92c469e5d459a516b5"
},
{
"url": "https://git.kernel.org/stable/c/232afc74a6dde0fe1830988e5827921f5ec9bb3f"
},
{
"url": "https://git.kernel.org/stable/c/15f6faf36e162532bec5cc05eb3fc622108bf2ed"
},
{
"url": "https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13"
},
{
"url": "https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e"
},
{
"url": "https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e"
}
],
"title": "macvlan: fix possible UAF in macvlan_forward_source()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23001",
"datePublished": "2026-01-25T14:36:15.790Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:53.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40187 (GCVE-0-2025-40187)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0
and sctp_ulpevent_make_authkey() returns 0, then the variable
ai_ev remains zero and the zero will be dereferenced
in the sctp_ulpevent_free() function.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1014b83778c8677f1d7a57c26dc728baa801ac62",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "7f702f85df0266ed7b5bab81ba50394c92f3c928",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "dbceedc0213e75bf3e9f9f9e2f66b10699d004fe",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "025419f4e216a3ae0d0cec622262e98e8078c447",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "c21f45cfa4a9526b34d76b397c9ef080668b6e73",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "d0e8f1445c19b1786759ba72a38267e1449bab7e",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "badbd79313e6591616c1b78e29a9b71efed7f035",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "2f3119686ef50319490ccaec81a575973da98815",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()\n\nIf new_asoc-\u003epeer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0\nand sctp_ulpevent_make_authkey() returns 0, then the variable\nai_ev remains zero and the zero will be dereferenced\nin the sctp_ulpevent_free() function."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:45.756Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1014b83778c8677f1d7a57c26dc728baa801ac62"
},
{
"url": "https://git.kernel.org/stable/c/7f702f85df0266ed7b5bab81ba50394c92f3c928"
},
{
"url": "https://git.kernel.org/stable/c/dbceedc0213e75bf3e9f9f9e2f66b10699d004fe"
},
{
"url": "https://git.kernel.org/stable/c/025419f4e216a3ae0d0cec622262e98e8078c447"
},
{
"url": "https://git.kernel.org/stable/c/c21f45cfa4a9526b34d76b397c9ef080668b6e73"
},
{
"url": "https://git.kernel.org/stable/c/d0e8f1445c19b1786759ba72a38267e1449bab7e"
},
{
"url": "https://git.kernel.org/stable/c/badbd79313e6591616c1b78e29a9b71efed7f035"
},
{
"url": "https://git.kernel.org/stable/c/2f3119686ef50319490ccaec81a575973da98815"
}
],
"title": "net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40187",
"datePublished": "2025-11-12T21:56:29.504Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:45.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68792 (GCVE-0-2025-68792)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm2-sessions: Fix out of range indexing in name_size
'name_size' does not have any range checks, and it just directly indexes
with TPM_ALG_ID, which could lead into memory corruption at worst.
Address the issue by only processing known values and returning -EINVAL for
unrecognized values.
Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so
that errors are detected before causing any spurious TPM traffic.
End also the authorization session on failure in both of the functions, as
the session state would be then by definition corrupted.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm2-cmd.c",
"drivers/char/tpm/tpm2-sessions.c",
"include/linux/tpm.h",
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47e676ce4d68f461dfcab906f6aeb254f7276deb",
"status": "affected",
"version": "1085b8276bb4239daa7008f0dcd5c973e4bd690f",
"versionType": "git"
},
{
"lessThan": "04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43",
"status": "affected",
"version": "1085b8276bb4239daa7008f0dcd5c973e4bd690f",
"versionType": "git"
},
{
"lessThan": "6e9722e9a7bfe1bbad649937c811076acf86e1fd",
"status": "affected",
"version": "1085b8276bb4239daa7008f0dcd5c973e4bd690f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm2-cmd.c",
"drivers/char/tpm/tpm2-sessions.c",
"include/linux/tpm.h",
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm2-sessions: Fix out of range indexing in name_size\n\n\u0027name_size\u0027 does not have any range checks, and it just directly indexes\nwith TPM_ALG_ID, which could lead into memory corruption at worst.\n\nAddress the issue by only processing known values and returning -EINVAL for\nunrecognized values.\n\nMake also \u0027tpm_buf_append_name\u0027 and \u0027tpm_buf_fill_hmac_session\u0027 fallible so\nthat errors are detected before causing any spurious TPM traffic.\n\nEnd also the authorization session on failure in both of the functions, as\nthe session state would be then by definition corrupted."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:39.373Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47e676ce4d68f461dfcab906f6aeb254f7276deb"
},
{
"url": "https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43"
},
{
"url": "https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd"
}
],
"title": "tpm2-sessions: Fix out of range indexing in name_size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68792",
"datePublished": "2026-01-13T15:29:04.226Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-02-09T08:33:39.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68800 (GCVE-0-2025-68800)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f38656d067257cc43b652958dd154e1ab0773701 Version: f38656d067257cc43b652958dd154e1ab0773701 Version: f38656d067257cc43b652958dd154e1ab0773701 Version: f38656d067257cc43b652958dd154e1ab0773701 Version: f38656d067257cc43b652958dd154e1ab0773701 Version: f38656d067257cc43b652958dd154e1ab0773701 Version: f38656d067257cc43b652958dd154e1ab0773701 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b957366f5611bbaba03dd10ef861283347ddcc88",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "6e367c361a523a4b54fe618215c64a0ee189caf0",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "5f2831fc593c2b2efbff7dd0dd7441cec76adcd5",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "216afc198484fde110ebeafc017992266f4596ce",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "4049a6ace209f4ed150429f86ae796d7d6a4c22b",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "8ac1dacec458f55f871f7153242ed6ab60373b90",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats\n\nCited commit added a dedicated mutex (instead of RTNL) to protect the\nmulticast route list, so that it will not change while the driver\nperiodically traverses it in order to update the kernel about multicast\nroute stats that were queried from the device.\n\nOne instance of list entry deletion (during route replace) was missed\nand it can result in a use-after-free [1].\n\nFix by acquiring the mutex before deleting the entry from the list and\nreleasing it afterwards.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\nRead of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043\n\nCPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)\nHardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017\nWorkqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xba/0x110\n print_report+0x174/0x4f5\n kasan_report+0xdf/0x110\n mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x43/0x70\n kfree+0x14e/0x700\n mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:48.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88"
},
{
"url": "https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0"
},
{
"url": "https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73"
},
{
"url": "https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5"
},
{
"url": "https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce"
},
{
"url": "https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b"
},
{
"url": "https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90"
}
],
"title": "mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68800",
"datePublished": "2026-01-13T15:29:09.688Z",
"dateReserved": "2025-12-24T10:30:51.044Z",
"dateUpdated": "2026-02-09T08:33:48.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71070 (GCVE-0-2025-71070)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: clean up user copy references on ublk server exit
If a ublk server process releases a ublk char device file, any requests
dispatched to the ublk server but not yet completed will retain a ref
value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify
aborting ublk request"), __ublk_fail_req() would decrement the reference
count before completing the failed request. However, that commit
optimized __ublk_fail_req() to call __ublk_complete_rq() directly
without decrementing the request reference count.
The leaked reference count incorrectly allows user copy and zero copy
operations on the completed ublk request. It also triggers the
WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit()
and ublk_deinit_queue().
Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk
char dev is closed") already fixed the issue for ublk devices using
UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference
count leak also affects UBLK_F_USER_COPY, the other reference-counted
data copy mode. Fix the condition in ublk_check_and_reset_active_ref()
to include all reference-counted data copy modes. This ensures that any
ublk requests still owned by the ublk server when it exits have their
reference counts reset to 0.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13456b4f1033d911f8bf3a0a1195656f293ba0f6",
"status": "affected",
"version": "e63d2228ef831af36f963b3ab8604160cfff84c1",
"versionType": "git"
},
{
"lessThan": "daa24603d9f0808929514ee62ced30052ca7221c",
"status": "affected",
"version": "e63d2228ef831af36f963b3ab8604160cfff84c1",
"versionType": "git"
},
{
"status": "affected",
"version": "e537193fc4a43b48ac51cc6366319e15e32dd540",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: clean up user copy references on ublk server exit\n\nIf a ublk server process releases a ublk char device file, any requests\ndispatched to the ublk server but not yet completed will retain a ref\nvalue of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 (\"ublk: simplify\naborting ublk request\"), __ublk_fail_req() would decrement the reference\ncount before completing the failed request. However, that commit\noptimized __ublk_fail_req() to call __ublk_complete_rq() directly\nwithout decrementing the request reference count.\nThe leaked reference count incorrectly allows user copy and zero copy\noperations on the completed ublk request. It also triggers the\nWARN_ON_ONCE(refcount_read(\u0026io-\u003eref)) warnings in ublk_queue_reinit()\nand ublk_deinit_queue().\nCommit c5c5eb24ed61 (\"ublk: avoid ublk_io_release() called after ublk\nchar dev is closed\") already fixed the issue for ublk devices using\nUBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference\ncount leak also affects UBLK_F_USER_COPY, the other reference-counted\ndata copy mode. Fix the condition in ublk_check_and_reset_active_ref()\nto include all reference-counted data copy modes. This ensures that any\nublk requests still owned by the ublk server when it exits have their\nreference counts reset to 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:20.822Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6"
},
{
"url": "https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c"
}
],
"title": "ublk: clean up user copy references on ublk server exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71070",
"datePublished": "2026-01-13T15:31:24.709Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:20.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-46830 (GCVE-0-2024-46830)
Vulnerability from cvelistv5
Published
2024-09-27 12:39
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly
leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX
reads guest memory.
Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN
via sync_regs(), which already holds SRCU. I.e. trying to precisely use
kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause
problems. Acquiring SRCU isn't all that expensive, so for simplicity,
grab it unconditionally for KVM_SET_VCPU_EVENTS.
=============================
WARNING: suspicious RCU usage
6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted
-----------------------------
include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by repro/1071:
#0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]
stack backtrace:
CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x7f/0x90
lockdep_rcu_suspicious+0x13f/0x1a0
kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]
kvm_vcpu_read_guest+0x3e/0x90 [kvm]
nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]
load_vmcs12_host_state+0x432/0xb40 [kvm_intel]
vmx_leave_nested+0x30/0x40 [kvm_intel]
kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]
kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]
? mark_held_locks+0x49/0x70
? kvm_vcpu_ioctl+0x7d/0x970 [kvm]
? kvm_vcpu_ioctl+0x497/0x970 [kvm]
kvm_vcpu_ioctl+0x497/0x970 [kvm]
? lock_acquire+0xba/0x2d0
? find_held_lock+0x2b/0x80
? do_user_addr_fault+0x40c/0x6f0
? lock_release+0xb7/0x270
__x64_sys_ioctl+0x82/0xb0
do_syscall_64+0x6c/0x170
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7ff11eb1b539
</TASK>
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e302786233e6bc512986d007c96458ccf5ca21c7 Version: f7e570780efc5cec9b2ed1e0472a7da14e864fdb Version: f7e570780efc5cec9b2ed1e0472a7da14e864fdb Version: f7e570780efc5cec9b2ed1e0472a7da14e864fdb Version: f7e570780efc5cec9b2ed1e0472a7da14e864fdb Version: 080dbe7e9b86a0392d8dffc00d9971792afc121f Version: b4c0d89c92e957ecccce12e66b63875d0cc7af7e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:12:09.375859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T14:12:18.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:19:21.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f35099fa3d59caf10bda88b033538e90086684e",
"status": "affected",
"version": "e302786233e6bc512986d007c96458ccf5ca21c7",
"versionType": "git"
},
{
"lessThan": "fa297c33faefe51e10244e8a378837fca4963228",
"status": "affected",
"version": "f7e570780efc5cec9b2ed1e0472a7da14e864fdb",
"versionType": "git"
},
{
"lessThan": "939375737b5a0b1bf9b1e75129054e11bc9ca65e",
"status": "affected",
"version": "f7e570780efc5cec9b2ed1e0472a7da14e864fdb",
"versionType": "git"
},
{
"lessThan": "ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9",
"status": "affected",
"version": "f7e570780efc5cec9b2ed1e0472a7da14e864fdb",
"versionType": "git"
},
{
"lessThan": "4bcdd831d9d01e0fb64faea50732b59b2ee88da1",
"status": "affected",
"version": "f7e570780efc5cec9b2ed1e0472a7da14e864fdb",
"versionType": "git"
},
{
"status": "affected",
"version": "080dbe7e9b86a0392d8dffc00d9971792afc121f",
"versionType": "git"
},
{
"status": "affected",
"version": "b4c0d89c92e957ecccce12e66b63875d0cc7af7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.110",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire kvm-\u003esrcu when handling KVM_SET_VCPU_EVENTS\n\nGrab kvm-\u003esrcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly\nleave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX\nreads guest memory.\n\nNote, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN\nvia sync_regs(), which already holds SRCU. I.e. trying to precisely use\nkvm_vcpu_srcu_read_lock() around the problematic SMM code would cause\nproblems. Acquiring SRCU isn\u0027t all that expensive, so for simplicity,\ngrab it unconditionally for KVM_SET_VCPU_EVENTS.\n\n =============================\n WARNING: suspicious RCU usage\n 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted\n -----------------------------\n include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by repro/1071:\n #0: ffff88811e424430 (\u0026vcpu-\u003emutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n\n stack backtrace:\n CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x7f/0x90\n lockdep_rcu_suspicious+0x13f/0x1a0\n kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]\n kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]\n load_vmcs12_host_state+0x432/0xb40 [kvm_intel]\n vmx_leave_nested+0x30/0x40 [kvm_intel]\n kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]\n kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]\n ? mark_held_locks+0x49/0x70\n ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n ? kvm_vcpu_ioctl+0x497/0x970 [kvm]\n kvm_vcpu_ioctl+0x497/0x970 [kvm]\n ? lock_acquire+0xba/0x2d0\n ? find_held_lock+0x2b/0x80\n ? do_user_addr_fault+0x40c/0x6f0\n ? lock_release+0xb7/0x270\n __x64_sys_ioctl+0x82/0xb0\n do_syscall_64+0x6c/0x170\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7ff11eb1b539\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:50.664Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f35099fa3d59caf10bda88b033538e90086684e"
},
{
"url": "https://git.kernel.org/stable/c/fa297c33faefe51e10244e8a378837fca4963228"
},
{
"url": "https://git.kernel.org/stable/c/939375737b5a0b1bf9b1e75129054e11bc9ca65e"
},
{
"url": "https://git.kernel.org/stable/c/ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9"
},
{
"url": "https://git.kernel.org/stable/c/4bcdd831d9d01e0fb64faea50732b59b2ee88da1"
}
],
"title": "KVM: x86: Acquire kvm-\u003esrcu when handling KVM_SET_VCPU_EVENTS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46830",
"datePublished": "2024-09-27T12:39:28.396Z",
"dateReserved": "2024-09-11T15:12:18.286Z",
"dateUpdated": "2026-01-19T12:17:50.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68374 (GCVE-0-2025-68374)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: fix rcu protection in md_wakeup_thread
We attempted to use RCU to protect the pointer 'thread', but directly
passed the value when calling md_wakeup_thread(). This means that the
RCU pointer has been acquired before rcu_read_lock(), which renders
rcu_read_lock() ineffective and could lead to a use-after-free.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21989cb5034c835b212385a2afadf279d8069da0",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "a4bd1caf591faeae44cb10b6517e7dacb5139bda",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "f98b191f78124405294481dea85f8a22a3eb0a59",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
},
{
"lessThan": "0dc76205549b4c25705e54345f211b9f66e018a0",
"status": "affected",
"version": "4469315439827290923fce4f3f672599cabeb366",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix rcu protection in md_wakeup_thread\n\nWe attempted to use RCU to protect the pointer \u0027thread\u0027, but directly\npassed the value when calling md_wakeup_thread(). This means that the\nRCU pointer has been acquired before rcu_read_lock(), which renders\nrcu_read_lock() ineffective and could lead to a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:12.034Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21989cb5034c835b212385a2afadf279d8069da0"
},
{
"url": "https://git.kernel.org/stable/c/a4bd1caf591faeae44cb10b6517e7dacb5139bda"
},
{
"url": "https://git.kernel.org/stable/c/f98b191f78124405294481dea85f8a22a3eb0a59"
},
{
"url": "https://git.kernel.org/stable/c/0dc76205549b4c25705e54345f211b9f66e018a0"
}
],
"title": "md: fix rcu protection in md_wakeup_thread",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68374",
"datePublished": "2025-12-24T10:33:04.046Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-02-09T08:32:12.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68746 (GCVE-0-2025-68746)
Vulnerability from cvelistv5
Published
2025-12-24 12:09
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Fix timeout handling
When the CPU that the QSPI interrupt handler runs on (typically CPU 0)
is excessively busy, it can lead to rare cases of the IRQ thread not
running before the transfer timeout is reached.
While handling the timeouts, any pending transfers are cleaned up and
the message that they correspond to is marked as failed, which leaves
the curr_xfer field pointing at stale memory.
To avoid this, clear curr_xfer to NULL upon timeout and check for this
condition when the IRQ thread is finally run.
While at it, also make sure to clear interrupts on failure so that new
interrupts can be run.
A better, more involved, fix would move the interrupt clearing into a
hard IRQ handler. Ideally we would also want to signal that the IRQ
thread no longer needs to be run after the timeout is hit to avoid the
extra check for a valid transfer.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 921fc1838fb036f690b8ba52e6a6d3644b475cbb Version: 921fc1838fb036f690b8ba52e6a6d3644b475cbb Version: 921fc1838fb036f690b8ba52e6a6d3644b475cbb Version: 921fc1838fb036f690b8ba52e6a6d3644b475cbb Version: 921fc1838fb036f690b8ba52e6a6d3644b475cbb Version: 921fc1838fb036f690b8ba52e6a6d3644b475cbb Version: 921fc1838fb036f690b8ba52e6a6d3644b475cbb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "c934e40246da2c5726d14e94719c514e30840df8",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "551060efb156c50fe33799038ba8145418cfdeef",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "bb0c58be84f907285af45657c1d4847b960a12bf",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Fix timeout handling\n\nWhen the CPU that the QSPI interrupt handler runs on (typically CPU 0)\nis excessively busy, it can lead to rare cases of the IRQ thread not\nrunning before the transfer timeout is reached.\n\nWhile handling the timeouts, any pending transfers are cleaned up and\nthe message that they correspond to is marked as failed, which leaves\nthe curr_xfer field pointing at stale memory.\n\nTo avoid this, clear curr_xfer to NULL upon timeout and check for this\ncondition when the IRQ thread is finally run.\n\nWhile at it, also make sure to clear interrupts on failure so that new\ninterrupts can be run.\n\nA better, more involved, fix would move the interrupt clearing into a\nhard IRQ handler. Ideally we would also want to signal that the IRQ\nthread no longer needs to be run after the timeout is hit to avoid the\nextra check for a valid transfer."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:50.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2"
},
{
"url": "https://git.kernel.org/stable/c/83309dd551cfd60a5a1a98d9cab19f435b44d46d"
},
{
"url": "https://git.kernel.org/stable/c/c934e40246da2c5726d14e94719c514e30840df8"
},
{
"url": "https://git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeef"
},
{
"url": "https://git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bf"
},
{
"url": "https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc"
},
{
"url": "https://git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000"
}
],
"title": "spi: tegra210-quad: Fix timeout handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68746",
"datePublished": "2025-12-24T12:09:42.213Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-02-09T08:32:50.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68821 (GCVE-0-2025-68821)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix readahead reclaim deadlock
Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is
needed") skips allocating ff->release_args if the server does not
implement open. However in doing so, fuse_prepare_release() now skips
grabbing the reference on the inode, which makes it possible for an
inode to be evicted from the dcache while there are inflight readahead
requests. This causes a deadlock if the server triggers reclaim while
servicing the readahead request and reclaim attempts to evict the inode
of the file being read ahead. Since the folio is locked during
readahead, when reclaim evicts the fuse inode and fuse_evict_inode()
attempts to remove all folios associated with the inode from the page
cache (truncate_inode_pages_range()), reclaim will block forever waiting
for the lock since readahead cannot relinquish the lock because it is
itself blocked in reclaim:
>>> stack_trace(1504735)
folio_wait_bit_common (mm/filemap.c:1308:4)
folio_lock (./include/linux/pagemap.h:1052:3)
truncate_inode_pages_range (mm/truncate.c:336:10)
fuse_evict_inode (fs/fuse/inode.c:161:2)
evict (fs/inode.c:704:3)
dentry_unlink_inode (fs/dcache.c:412:3)
__dentry_kill (fs/dcache.c:615:3)
shrink_kill (fs/dcache.c:1060:12)
shrink_dentry_list (fs/dcache.c:1087:3)
prune_dcache_sb (fs/dcache.c:1168:2)
super_cache_scan (fs/super.c:221:10)
do_shrink_slab (mm/shrinker.c:435:9)
shrink_slab (mm/shrinker.c:626:10)
shrink_node (mm/vmscan.c:5951:2)
shrink_zones (mm/vmscan.c:6195:3)
do_try_to_free_pages (mm/vmscan.c:6257:3)
do_swap_page (mm/memory.c:4136:11)
handle_pte_fault (mm/memory.c:5562:10)
handle_mm_fault (mm/memory.c:5870:9)
do_user_addr_fault (arch/x86/mm/fault.c:1338:10)
handle_page_fault (arch/x86/mm/fault.c:1481:3)
exc_page_fault (arch/x86/mm/fault.c:1539:2)
asm_exc_page_fault+0x22/0x27
Fix this deadlock by allocating ff->release_args and grabbing the
reference on the inode when preparing the file for release even if the
server does not implement open. The inode reference will be dropped when
the last reference on the fuse file is dropped (see fuse_file_put() ->
fuse_release_end()).
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a39f70d63f4373a598820d9491719e44cd60afe9 Version: 7d38aa079ed859b73f4460aab89c7619b04963b8 Version: c7ec75f3cbf73bd46f479f7d6942585f765715da Version: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff Version: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff Version: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cbbf3f1bb9f834bb2acbb61ddca74363456e19cd",
"status": "affected",
"version": "a39f70d63f4373a598820d9491719e44cd60afe9",
"versionType": "git"
},
{
"lessThan": "4703bc0e8cd3409acb1476a70cb5b7ff943cf39a",
"status": "affected",
"version": "7d38aa079ed859b73f4460aab89c7619b04963b8",
"versionType": "git"
},
{
"lessThan": "cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f",
"status": "affected",
"version": "c7ec75f3cbf73bd46f479f7d6942585f765715da",
"versionType": "git"
},
{
"lessThan": "fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "e0d6de83a4cc22bbac72713f3a58121af36cc411",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix readahead reclaim deadlock\n\nCommit e26ee4efbc79 (\"fuse: allocate ff-\u003erelease_args only if release is\nneeded\") skips allocating ff-\u003erelease_args if the server does not\nimplement open. However in doing so, fuse_prepare_release() now skips\ngrabbing the reference on the inode, which makes it possible for an\ninode to be evicted from the dcache while there are inflight readahead\nrequests. This causes a deadlock if the server triggers reclaim while\nservicing the readahead request and reclaim attempts to evict the inode\nof the file being read ahead. Since the folio is locked during\nreadahead, when reclaim evicts the fuse inode and fuse_evict_inode()\nattempts to remove all folios associated with the inode from the page\ncache (truncate_inode_pages_range()), reclaim will block forever waiting\nfor the lock since readahead cannot relinquish the lock because it is\nitself blocked in reclaim:\n\n\u003e\u003e\u003e stack_trace(1504735)\n folio_wait_bit_common (mm/filemap.c:1308:4)\n folio_lock (./include/linux/pagemap.h:1052:3)\n truncate_inode_pages_range (mm/truncate.c:336:10)\n fuse_evict_inode (fs/fuse/inode.c:161:2)\n evict (fs/inode.c:704:3)\n dentry_unlink_inode (fs/dcache.c:412:3)\n __dentry_kill (fs/dcache.c:615:3)\n shrink_kill (fs/dcache.c:1060:12)\n shrink_dentry_list (fs/dcache.c:1087:3)\n prune_dcache_sb (fs/dcache.c:1168:2)\n super_cache_scan (fs/super.c:221:10)\n do_shrink_slab (mm/shrinker.c:435:9)\n shrink_slab (mm/shrinker.c:626:10)\n shrink_node (mm/vmscan.c:5951:2)\n shrink_zones (mm/vmscan.c:6195:3)\n do_try_to_free_pages (mm/vmscan.c:6257:3)\n do_swap_page (mm/memory.c:4136:11)\n handle_pte_fault (mm/memory.c:5562:10)\n handle_mm_fault (mm/memory.c:5870:9)\n do_user_addr_fault (arch/x86/mm/fault.c:1338:10)\n handle_page_fault (arch/x86/mm/fault.c:1481:3)\n exc_page_fault (arch/x86/mm/fault.c:1539:2)\n asm_exc_page_fault+0x22/0x27\n\nFix this deadlock by allocating ff-\u003erelease_args and grabbing the\nreference on the inode when preparing the file for release even if the\nserver does not implement open. The inode reference will be dropped when\nthe last reference on the fuse file is dropped (see fuse_file_put() -\u003e\nfuse_release_end())."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:11.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd"
},
{
"url": "https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a"
},
{
"url": "https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f"
},
{
"url": "https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6"
},
{
"url": "https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411"
},
{
"url": "https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50"
}
],
"title": "fuse: fix readahead reclaim deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68821",
"datePublished": "2026-01-13T15:29:24.014Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:11.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71088 (GCVE-0-2025-71088)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fallback earlier on simult connection
Syzkaller reports a simult-connect race leading to inconsistent fallback
status:
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffffc900006cf338 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf
RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900
R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197
tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922
tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672
tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918
ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438
ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500
dst_input include/net/dst.h:471 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311
__netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979
__netif_receive_skb+0x1d/0x160 net/core/dev.c:6092
process_backlog+0x442/0x15e0 net/core/dev.c:6444
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494
napi_poll net/core/dev.c:7557 [inline]
net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684
handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
run_ksoftirqd kernel/softirq.c:968 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The TCP subflow can process the simult-connect syn-ack packet after
transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,
as the sk_state_change() callback is not invoked for * -> FIN_WAIT1
transitions.
That will move the msk socket to an inconsistent status and the next
incoming data will hit the reported splat.
Close the race moving the simult-fallback check at the earliest possible
stage - that is at syn-ack generation time.
About the fixes tags: [2] was supposed to also fix this issue introduced
by [3]. [1] is required as a dependence: it was not explicitly marked as
a fix, but it is one and it has already been backported before [3]. In
other words, this commit should be backported up to [3], including [2]
and [1] if that's not already there.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5f46a08269265e2f5e87d855287d6d22de0a32b",
"status": "affected",
"version": "01b7822700f2256900089e00390e119e1ad545df",
"versionType": "git"
},
{
"lessThan": "c9bf315228287653522894df9d851e9b43db9516",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "79f80a7a47849ef1b3c25a0bedcc448b9cb551c1",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "71154bbe49423128c1c8577b6576de1ed6836830",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fallback earlier on simult connection\n\nSyzkaller reports a simult-connect race leading to inconsistent fallback\nstatus:\n\n WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Modules linked in:\n CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 \u003c0f\u003e 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6\n RSP: 0018:ffffc900006cf338 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf\n RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005\n RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007\n R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900\n R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004\n FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0\n Call Trace:\n \u003cTASK\u003e\n tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197\n tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922\n tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672\n tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918\n ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500\n dst_input include/net/dst.h:471 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979\n __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092\n process_backlog+0x442/0x15e0 net/core/dev.c:6444\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494\n napi_poll net/core/dev.c:7557 [inline]\n net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684\n handle_softirqs+0x216/0x8e0 kernel/softirq.c:579\n run_ksoftirqd kernel/softirq.c:968 [inline]\n run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960\n smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160\n kthread+0x3c2/0x780 kernel/kthread.c:463\n ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nThe TCP subflow can process the simult-connect syn-ack packet after\ntransitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,\nas the sk_state_change() callback is not invoked for * -\u003e FIN_WAIT1\ntransitions.\n\nThat will move the msk socket to an inconsistent status and the next\nincoming data will hit the reported splat.\n\nClose the race moving the simult-fallback check at the earliest possible\nstage - that is at syn-ack generation time.\n\nAbout the fixes tags: [2] was supposed to also fix this issue introduced\nby [3]. [1] is required as a dependence: it was not explicitly marked as\na fix, but it is one and it has already been backported before [3]. In\nother words, this commit should be backported up to [3], including [2]\nand [1] if that\u0027s not already there."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:39.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b"
},
{
"url": "https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516"
},
{
"url": "https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1"
},
{
"url": "https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86"
},
{
"url": "https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830"
}
],
"title": "mptcp: fallback earlier on simult connection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71088",
"datePublished": "2026-01-13T15:34:50.377Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:39.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68204 (GCVE-0-2025-68204)
Vulnerability from cvelistv5
Published
2025-12-16 13:48
Modified
2025-12-16 13:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: arm: scmi: Fix genpd leak on provider registration failure
If of_genpd_add_provider_onecell() fails during probe, the previously
created generic power domains are not removed, leading to a memory leak
and potential kernel crash later in genpd_debug_add().
Add proper error handling to unwind the initialized domains before
returning from probe to ensure all resources are correctly released on
failure.
Example crash trace observed without this fix:
| Unable to handle kernel paging request at virtual address fffffffffffffc70
| CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT
| Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform
| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : genpd_debug_add+0x2c/0x160
| lr : genpd_debug_init+0x74/0x98
| Call trace:
| genpd_debug_add+0x2c/0x160 (P)
| genpd_debug_init+0x74/0x98
| do_one_initcall+0xd0/0x2d8
| do_initcall_level+0xa0/0x140
| do_initcalls+0x60/0xa8
| do_basic_setup+0x28/0x40
| kernel_init_freeable+0xe8/0x170
| kernel_init+0x2c/0x140
| ret_from_fork+0x10/0x20
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 898216c97ed2ebfffda659ce12388da43534de6c Version: 898216c97ed2ebfffda659ce12388da43534de6c Version: 898216c97ed2ebfffda659ce12388da43534de6c Version: 898216c97ed2ebfffda659ce12388da43534de6c Version: 898216c97ed2ebfffda659ce12388da43534de6c Version: 898216c97ed2ebfffda659ce12388da43534de6c Version: 898216c97ed2ebfffda659ce12388da43534de6c Version: 898216c97ed2ebfffda659ce12388da43534de6c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/arm/scmi_pm_domain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18249a167ffd91b4b4fbd92afd4ddcbf3af81f35",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "582f48d22eb5676fe7be3589b986ddd29f7bf4d1",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "7f569197f7ad09319af960bd7e43109de5c67c04",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "ad120c08b89a81d41d091490bbe150343473b659",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "921b090841ae7a08b19ab14495bdf8636dc31e21",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "983e91da82ec3e331600108f9be3ea61236f5c75",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "7458f72cc28f9eb0de811effcb5376d0ec19094a",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/arm/scmi_pm_domain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: arm: scmi: Fix genpd leak on provider registration failure\n\nIf of_genpd_add_provider_onecell() fails during probe, the previously\ncreated generic power domains are not removed, leading to a memory leak\nand potential kernel crash later in genpd_debug_add().\n\nAdd proper error handling to unwind the initialized domains before\nreturning from probe to ensure all resources are correctly released on\nfailure.\n\nExample crash trace observed without this fix:\n\n | Unable to handle kernel paging request at virtual address fffffffffffffc70\n | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT\n | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform\n | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n | pc : genpd_debug_add+0x2c/0x160\n | lr : genpd_debug_init+0x74/0x98\n | Call trace:\n | genpd_debug_add+0x2c/0x160 (P)\n | genpd_debug_init+0x74/0x98\n | do_one_initcall+0xd0/0x2d8\n | do_initcall_level+0xa0/0x140\n | do_initcalls+0x60/0xa8\n | do_basic_setup+0x28/0x40\n | kernel_init_freeable+0xe8/0x170\n | kernel_init+0x2c/0x140\n | ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:31.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18249a167ffd91b4b4fbd92afd4ddcbf3af81f35"
},
{
"url": "https://git.kernel.org/stable/c/c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a"
},
{
"url": "https://git.kernel.org/stable/c/582f48d22eb5676fe7be3589b986ddd29f7bf4d1"
},
{
"url": "https://git.kernel.org/stable/c/7f569197f7ad09319af960bd7e43109de5c67c04"
},
{
"url": "https://git.kernel.org/stable/c/ad120c08b89a81d41d091490bbe150343473b659"
},
{
"url": "https://git.kernel.org/stable/c/921b090841ae7a08b19ab14495bdf8636dc31e21"
},
{
"url": "https://git.kernel.org/stable/c/983e91da82ec3e331600108f9be3ea61236f5c75"
},
{
"url": "https://git.kernel.org/stable/c/7458f72cc28f9eb0de811effcb5376d0ec19094a"
}
],
"title": "pmdomain: arm: scmi: Fix genpd leak on provider registration failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68204",
"datePublished": "2025-12-16T13:48:31.850Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2025-12-16T13:48:31.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40121 (GCVE-0-2025-40121)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver just ignores and leaves as is, which may lead to
unepxected results like OOB access.
This patch adds the sanity check and corrects the input mapping to the
certain default value if an invalid value is passed.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 Version: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 Version: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 Version: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 Version: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 Version: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 Version: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 Version: 64484ccee7af53f08cca2ee3853cb8e18914d8b2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5651.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bff827b0d507e52b23efab9f67c232a4f037ab2c",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "64a36a7032082b4c330ce081acb6efb99246020e",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "95e29db33b5f73218ae08ebb48c61c9a8d28e2ff",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "2204e582b4eea872e1e7a5c90edcb84b928c68b0",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "f197894de2f4ef46c7d53827d9df294b75c35e13",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "fdf99978a6480e14405212472b6c747e0fa43bed",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "c60f269c123210a6846d6d1367de0eaa402c10b0",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
},
{
"lessThan": "4336efb59ef364e691ef829a73d9dbd4d5ed7c7b",
"status": "affected",
"version": "64484ccee7af53f08cca2ee3853cb8e18914d8b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/bytcr_rt5651.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver just ignores and leaves as is, which may lead to\nunepxected results like OOB access.\n\nThis patch adds the sanity check and corrects the input mapping to the\ncertain default value if an invalid value is passed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:25.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bff827b0d507e52b23efab9f67c232a4f037ab2c"
},
{
"url": "https://git.kernel.org/stable/c/64a36a7032082b4c330ce081acb6efb99246020e"
},
{
"url": "https://git.kernel.org/stable/c/95e29db33b5f73218ae08ebb48c61c9a8d28e2ff"
},
{
"url": "https://git.kernel.org/stable/c/2204e582b4eea872e1e7a5c90edcb84b928c68b0"
},
{
"url": "https://git.kernel.org/stable/c/f197894de2f4ef46c7d53827d9df294b75c35e13"
},
{
"url": "https://git.kernel.org/stable/c/fdf99978a6480e14405212472b6c747e0fa43bed"
},
{
"url": "https://git.kernel.org/stable/c/c60f269c123210a6846d6d1367de0eaa402c10b0"
},
{
"url": "https://git.kernel.org/stable/c/4336efb59ef364e691ef829a73d9dbd4d5ed7c7b"
}
],
"title": "ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40121",
"datePublished": "2025-11-12T10:23:19.000Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:25.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40262 (GCVE-0-2025-40262)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: imx_sc_key - fix memory corruption on unload
This is supposed to be "priv" but we accidentally pass "&priv" which is
an address in the stack and so it will lead to memory corruption when
the imx_sc_key_action() function is called. Remove the &.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 768062fd1284529212daffd360314e9aa93abb62 Version: 768062fd1284529212daffd360314e9aa93abb62 Version: 768062fd1284529212daffd360314e9aa93abb62 Version: 768062fd1284529212daffd360314e9aa93abb62 Version: 768062fd1284529212daffd360314e9aa93abb62 Version: 768062fd1284529212daffd360314e9aa93abb62 Version: 768062fd1284529212daffd360314e9aa93abb62 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/imx_sc_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e96803b169dc948847f0fc2bae729a80914eb7b",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "4ce5218b101205b3425099fe3df88a61b58f9cc2",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "a155292c3ce722036014da5477ee0e4c87b5e6b3",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "ca9a08de9b294422376f47ade323d69590dbc6f2",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "56881294915a6e866d31a46f9bcb5e19167cfbaa",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "6524a15d33951b18ac408ebbcb9c16e14e21c336",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/imx_sc_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: imx_sc_key - fix memory corruption on unload\n\nThis is supposed to be \"priv\" but we accidentally pass \"\u0026priv\" which is\nan address in the stack and so it will lead to memory corruption when\nthe imx_sc_key_action() function is called. Remove the \u0026."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:39:03.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e96803b169dc948847f0fc2bae729a80914eb7b"
},
{
"url": "https://git.kernel.org/stable/c/4ce5218b101205b3425099fe3df88a61b58f9cc2"
},
{
"url": "https://git.kernel.org/stable/c/a155292c3ce722036014da5477ee0e4c87b5e6b3"
},
{
"url": "https://git.kernel.org/stable/c/ca9a08de9b294422376f47ade323d69590dbc6f2"
},
{
"url": "https://git.kernel.org/stable/c/56881294915a6e866d31a46f9bcb5e19167cfbaa"
},
{
"url": "https://git.kernel.org/stable/c/6524a15d33951b18ac408ebbcb9c16e14e21c336"
},
{
"url": "https://git.kernel.org/stable/c/d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4"
}
],
"title": "Input: imx_sc_key - fix memory corruption on unload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40262",
"datePublished": "2025-12-04T16:08:22.043Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:39:03.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68194 (GCVE-0-2025-68194)
Vulnerability from cvelistv5
Published
2025-12-16 13:43
Modified
2026-01-02 15:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: imon: make send_packet() more robust
syzbot is reporting that imon has three problems which result in
hung tasks due to forever holding device lock [1].
First problem is that when usb_rx_callback_intf0() once got -EPROTO error
after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
resubmits urb after printk(), and resubmitted urb causes
usb_rx_callback_intf0() to again get -EPROTO error. This results in
printk() flooding (RCU stalls).
Alan Stern commented [2] that
In theory it's okay to resubmit _if_ the driver has a robust
error-recovery scheme (such as giving up after some fixed limit on the
number of errors or after some fixed time has elapsed, perhaps with a
time delay to prevent a flood of errors). Most drivers don't bother to
do this; they simply give up right away. This makes them more
vulnerable to short-term noise interference during USB transfers, but in
reality such interference is quite rare. There's nothing really wrong
with giving up right away.
but imon has a poor error-recovery scheme which just retries forever;
this behavior should be fixed.
Since I'm not sure whether it is safe for imon users to give up upon any
error code, this patch takes care of only union of error codes chosen from
modules in drivers/media/rc/ directory which handle -EPROTO error (i.e.
ir_toy, mceusb and igorplugusb).
Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
hardware after early callbacks"). Move the ictx->dev_present_intf0 test
introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
until intf configured") to immediately before imon_incoming_packet(), or
the first problem explained above happens without printk() flooding (i.e.
hung task).
Third problem is that when usb_rx_callback_intf0() is not called for some
reason (e.g. flaky hardware; the reproducer for this problem sometimes
prevents usb_rx_callback_intf0() from being called),
wait_for_completion_interruptible() in send_packet() never returns (i.e.
hung task). As a workaround for such situation, change send_packet() to
wait for completion with timeout of 10 seconds.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 Version: 21677cfc562a27e099719d413287bc8d1d24deb7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "519737af11c03590819a6eec2ad532cfdb87ea63",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "f58ab83b7b7133e6baefe03a46846c4f6ce45e2f",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "26f6a1dd5d81ad61a875a747698da6f27abf389b",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "667afd4681781f60a644cd0d2ee6c59cb1c36208",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "8231e80118463be5598daaf266c1c83650f1948b",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "0213e4175abbb9dfcbf7c197e3817d527f459ad5",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "f7f3ecb4934fff782fa9bb1cd16e2290c041b22d",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "eecd203ada43a4693ce6fdd3a58ae10c7819252c",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: make send_packet() more robust\n\nsyzbot is reporting that imon has three problems which result in\nhung tasks due to forever holding device lock [1].\n\nFirst problem is that when usb_rx_callback_intf0() once got -EPROTO error\nafter ictx-\u003edev_present_intf0 became true, usb_rx_callback_intf0()\nresubmits urb after printk(), and resubmitted urb causes\nusb_rx_callback_intf0() to again get -EPROTO error. This results in\nprintk() flooding (RCU stalls).\n\nAlan Stern commented [2] that\n\n In theory it\u0027s okay to resubmit _if_ the driver has a robust\n error-recovery scheme (such as giving up after some fixed limit on the\n number of errors or after some fixed time has elapsed, perhaps with a\n time delay to prevent a flood of errors). Most drivers don\u0027t bother to\n do this; they simply give up right away. This makes them more\n vulnerable to short-term noise interference during USB transfers, but in\n reality such interference is quite rare. There\u0027s nothing really wrong\n with giving up right away.\n\nbut imon has a poor error-recovery scheme which just retries forever;\nthis behavior should be fixed.\n\nSince I\u0027m not sure whether it is safe for imon users to give up upon any\nerror code, this patch takes care of only union of error codes chosen from\nmodules in drivers/media/rc/ directory which handle -EPROTO error (i.e.\nir_toy, mceusb and igorplugusb).\n\nSecond problem is that when usb_rx_callback_intf0() once got -EPROTO error\nbefore ictx-\u003edev_present_intf0 becomes true, usb_rx_callback_intf0() always\nresubmits urb due to commit 8791d63af0cf (\"[media] imon: don\u0027t wedge\nhardware after early callbacks\"). Move the ictx-\u003edev_present_intf0 test\nintroduced by commit 6f6b90c9231a (\"[media] imon: don\u0027t parse scancodes\nuntil intf configured\") to immediately before imon_incoming_packet(), or\nthe first problem explained above happens without printk() flooding (i.e.\nhung task).\n\nThird problem is that when usb_rx_callback_intf0() is not called for some\nreason (e.g. flaky hardware; the reproducer for this problem sometimes\nprevents usb_rx_callback_intf0() from being called),\nwait_for_completion_interruptible() in send_packet() never returns (i.e.\nhung task). As a workaround for such situation, change send_packet() to\nwait for completion with timeout of 10 seconds."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:22.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/519737af11c03590819a6eec2ad532cfdb87ea63"
},
{
"url": "https://git.kernel.org/stable/c/f58ab83b7b7133e6baefe03a46846c4f6ce45e2f"
},
{
"url": "https://git.kernel.org/stable/c/26f6a1dd5d81ad61a875a747698da6f27abf389b"
},
{
"url": "https://git.kernel.org/stable/c/667afd4681781f60a644cd0d2ee6c59cb1c36208"
},
{
"url": "https://git.kernel.org/stable/c/8231e80118463be5598daaf266c1c83650f1948b"
},
{
"url": "https://git.kernel.org/stable/c/0213e4175abbb9dfcbf7c197e3817d527f459ad5"
},
{
"url": "https://git.kernel.org/stable/c/f7f3ecb4934fff782fa9bb1cd16e2290c041b22d"
},
{
"url": "https://git.kernel.org/stable/c/eecd203ada43a4693ce6fdd3a58ae10c7819252c"
}
],
"title": "media: imon: make send_packet() more robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68194",
"datePublished": "2025-12-16T13:43:20.525Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2026-01-02T15:34:22.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68771 (GCVE-0-2025-68771)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
`cl_next_free_rec` field of the allocation chain list (next free slot in
the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)
condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),
just before calling ocfs2_find_victim_chain(), the code block in it being
executed when either of the following conditions is true:
1. `cl_next_free_rec` is equal to 0, indicating that there are no free
chains in the allocation chain list
2. `cl_next_free_rec` is greater than `cl_count` (the total number of
chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no
chains left for usage.
This is addressed using ocfs2_error(), which prints
the error log for debugging purposes, rather than panicking the kernel.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ccd979bdbce9fba8412beb3f1de68a9d0171b12c Version: ccd979bdbce9fba8412beb3f1de68a9d0171b12c Version: ccd979bdbce9fba8412beb3f1de68a9d0171b12c Version: ccd979bdbce9fba8412beb3f1de68a9d0171b12c Version: ccd979bdbce9fba8412beb3f1de68a9d0171b12c Version: ccd979bdbce9fba8412beb3f1de68a9d0171b12c Version: ccd979bdbce9fba8412beb3f1de68a9d0171b12c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "d0fd1f732ea8063cecd07a3879b7d815c7ee71ed",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "b08a33d5f80efe6979a6e8f905c1a898910c21dd",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "96f1b074c98c20f55a3b23d2ab44d9fb0f619869",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "e24aedae71652d4119049f1fbef6532ccbe3966d",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "7acc0390e0dd7474c4451d05465a677d55ad4268",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "039bef30e320827bac8990c9f29d2a68cd8adb5f",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix kernel BUG in ocfs2_find_victim_chain\n\nsyzbot reported a kernel BUG in ocfs2_find_victim_chain() because the\n`cl_next_free_rec` field of the allocation chain list (next free slot in\nthe chain list) is 0, triggring the BUG_ON(!cl-\u003ecl_next_free_rec)\ncondition in ocfs2_find_victim_chain() and panicking the kernel.\n\nTo fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),\njust before calling ocfs2_find_victim_chain(), the code block in it being\nexecuted when either of the following conditions is true:\n\n1. `cl_next_free_rec` is equal to 0, indicating that there are no free\nchains in the allocation chain list\n2. `cl_next_free_rec` is greater than `cl_count` (the total number of\nchains in the allocation chain list)\n\nEither of them being true is indicative of the fact that there are no\nchains left for usage.\n\nThis is addressed using ocfs2_error(), which prints\nthe error log for debugging purposes, rather than panicking the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:16.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7"
},
{
"url": "https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed"
},
{
"url": "https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd"
},
{
"url": "https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869"
},
{
"url": "https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d"
},
{
"url": "https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268"
},
{
"url": "https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f"
}
],
"title": "ocfs2: fix kernel BUG in ocfs2_find_victim_chain",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68771",
"datePublished": "2026-01-13T15:28:49.272Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:16.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23089 (GCVE-0-2026-23089)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees
mixer->id_elems but the controls already added to the card still
reference the freed memory. Later when snd_card_register() runs,
the OSS mixer layer calls their callbacks and hits a use-after-free read.
Call trace:
get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411
get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241
mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381
snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887
...
snd_card_register+0x4ed/0x6d0 sound/core/init.c:923
usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025
Fix by calling snd_ctl_remove() for all mixer controls before freeing
id_elems. We save the next pointer first because snd_ctl_remove()
frees the current element.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6639b6c2367f884ca172b78d69f7da17bfab2e5e Version: 6639b6c2367f884ca172b78d69f7da17bfab2e5e Version: 6639b6c2367f884ca172b78d69f7da17bfab2e5e Version: 6639b6c2367f884ca172b78d69f7da17bfab2e5e Version: 6639b6c2367f884ca172b78d69f7da17bfab2e5e Version: 6639b6c2367f884ca172b78d69f7da17bfab2e5e Version: 6639b6c2367f884ca172b78d69f7da17bfab2e5e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51b1aa6fe7dc87356ba58df06afb9677c9b841ea",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "56fb6efd5d04caf6f14994d51ec85393b9a896c6",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "7009daeefa945973a530b2f605fe445fc03747af",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "7bff0156d13f0ad9436e5178b979b063d59f572a",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "e6f103a22b08daf5df2f4aa158081840e5910963",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "dc1a5dd80af1ee1f29d8375b12dd7625f6294dad",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "930e69757b74c3ae083b0c3c7419bfe7f0edc7b2",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.13"
},
{
"lessThan": "2.6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()\n\nWhen snd_usb_create_mixer() fails, snd_usb_mixer_free() frees\nmixer-\u003eid_elems but the controls already added to the card still\nreference the freed memory. Later when snd_card_register() runs,\nthe OSS mixer layer calls their callbacks and hits a use-after-free read.\n\nCall trace:\n get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411\n get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241\n mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381\n snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887\n ...\n snd_card_register+0x4ed/0x6d0 sound/core/init.c:923\n usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025\n\nFix by calling snd_ctl_remove() for all mixer controls before freeing\nid_elems. We save the next pointer first because snd_ctl_remove()\nfrees the current element."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:29.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea"
},
{
"url": "https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6"
},
{
"url": "https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af"
},
{
"url": "https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a"
},
{
"url": "https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963"
},
{
"url": "https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad"
},
{
"url": "https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2"
}
],
"title": "ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23089",
"datePublished": "2026-02-04T16:08:12.575Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-09T08:38:29.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68820 (GCVE-0-2025-68820)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: xattr: fix null pointer deref in ext4_raw_inode()
If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),
iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()
lacks error checking, this will lead to a null pointer dereference
in ext4_raw_inode(), called right after ext4_get_inode_loc().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 Version: f737418b6de31c962c7192777ee4018906975383 Version: cf9291a3449b04688b81e32621e88de8f4314b54 Version: 362a90cecd36e8a5c415966d0b75b04a0270e4dd Version: eb59cc31b6ea076021d14b04e7faab1636b87d0e Version: c8e008b60492cf6fd31ef127aea6d02fd3d314cd Version: c8e008b60492cf6fd31ef127aea6d02fd3d314cd Version: 6aff941cb0f7d0c897c3698ad2e30672709135e3 Version: 3bc6317033f365ce578eb6039445fb66162722fd Version: 836e625b03a666cf93ff5be328c8cb30336db872 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b72a3476f0c97d02f63a6e9fff127348d55436f6",
"status": "affected",
"version": "76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3",
"versionType": "git"
},
{
"lessThan": "3d8d22e75f7edfa0b30ff27330fd6a1285d594c3",
"status": "affected",
"version": "f737418b6de31c962c7192777ee4018906975383",
"versionType": "git"
},
{
"lessThan": "190ad0f22ba49f1101182b80e3af50ca2ddfe72f",
"status": "affected",
"version": "cf9291a3449b04688b81e32621e88de8f4314b54",
"versionType": "git"
},
{
"lessThan": "b5d942922182e82724b7152cb998f540132885ec",
"status": "affected",
"version": "362a90cecd36e8a5c415966d0b75b04a0270e4dd",
"versionType": "git"
},
{
"lessThan": "5b154e901fda2e98570b8f426a481f5740097dc2",
"status": "affected",
"version": "eb59cc31b6ea076021d14b04e7faab1636b87d0e",
"versionType": "git"
},
{
"lessThan": "ce5f54c065a4a7cbb92787f4f140917112350142",
"status": "affected",
"version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
"versionType": "git"
},
{
"lessThan": "b97cb7d6a051aa6ebd57906df0e26e9e36c26d14",
"status": "affected",
"version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
"versionType": "git"
},
{
"status": "affected",
"version": "6aff941cb0f7d0c897c3698ad2e30672709135e3",
"versionType": "git"
},
{
"status": "affected",
"version": "3bc6317033f365ce578eb6039445fb66162722fd",
"versionType": "git"
},
{
"status": "affected",
"version": "836e625b03a666cf93ff5be328c8cb30336db872",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: xattr: fix null pointer deref in ext4_raw_inode()\n\nIf ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),\niloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()\nlacks error checking, this will lead to a null pointer dereference\nin ext4_raw_inode(), called right after ext4_get_inode_loc().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:10.331Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6"
},
{
"url": "https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3"
},
{
"url": "https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f"
},
{
"url": "https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec"
},
{
"url": "https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2"
},
{
"url": "https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142"
},
{
"url": "https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14"
}
],
"title": "ext4: xattr: fix null pointer deref in ext4_raw_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68820",
"datePublished": "2026-01-13T15:29:23.351Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:10.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71079 (GCVE-0-2025-71079)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
A deadlock can occur between nfc_unregister_device() and rfkill_fop_write()
due to lock ordering inversion between device_lock and rfkill_global_mutex.
The problematic lock order is:
Thread A (rfkill_fop_write):
rfkill_fop_write()
mutex_lock(&rfkill_global_mutex)
rfkill_set_block()
nfc_rfkill_set_block()
nfc_dev_down()
device_lock(&dev->dev) <- waits for device_lock
Thread B (nfc_unregister_device):
nfc_unregister_device()
device_lock(&dev->dev)
rfkill_unregister()
mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex
This creates a classic ABBA deadlock scenario.
Fix this by moving rfkill_unregister() and rfkill_destroy() outside the
device_lock critical section. Store the rfkill pointer in a local variable
before releasing the lock, then call rfkill_unregister() after releasing
device_lock.
This change is safe because rfkill_fop_write() holds rfkill_global_mutex
while calling the rfkill callbacks, and rfkill_unregister() also acquires
rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will
wait for any ongoing callback to complete before proceeding, and
device_del() is only called after rfkill_unregister() returns, preventing
any use-after-free.
The similar lock ordering in nfc_register_device() (device_lock ->
rfkill_global_mutex via rfkill_register) is safe because during
registration the device is not yet in rfkill_list, so no concurrent
rfkill operations can occur on this device.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 73a0d12114b4bc1a9def79a623264754b9df698e Version: 8a9c61c3ef187d8891225f9b932390670a43a0d3 Version: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Version: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Version: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Version: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Version: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Version: 5ef16d2d172ee56714cff37cd005b98aba08ef5a Version: ff169909eac9e00bf1aa0af739ba6ddfb1b1d135 Version: 47244ac0b65bd74cc70007d8e1bac68bd2baad19 Version: c45cea83e13699bdfd47842e04d09dd43af4c371 Version: 307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e0831e9fc46a06daa6d4d8d57a2738e343130c3",
"status": "affected",
"version": "73a0d12114b4bc1a9def79a623264754b9df698e",
"versionType": "git"
},
{
"lessThan": "e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012",
"status": "affected",
"version": "8a9c61c3ef187d8891225f9b932390670a43a0d3",
"versionType": "git"
},
{
"lessThan": "ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "6b93c8ab6f6cda8818983a4ae3fcf84b023037b4",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "8fc4632fb508432895430cd02b38086bdd649083",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "f3a8a7c1aa278f2378b2f3a10500c6674dffdfda",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"status": "affected",
"version": "5ef16d2d172ee56714cff37cd005b98aba08ef5a",
"versionType": "git"
},
{
"status": "affected",
"version": "ff169909eac9e00bf1aa0af739ba6ddfb1b1d135",
"versionType": "git"
},
{
"status": "affected",
"version": "47244ac0b65bd74cc70007d8e1bac68bd2baad19",
"versionType": "git"
},
{
"status": "affected",
"version": "c45cea83e13699bdfd47842e04d09dd43af4c371",
"versionType": "git"
},
{
"status": "affected",
"version": "307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.162",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write\n\nA deadlock can occur between nfc_unregister_device() and rfkill_fop_write()\ndue to lock ordering inversion between device_lock and rfkill_global_mutex.\n\nThe problematic lock order is:\n\nThread A (rfkill_fop_write):\n rfkill_fop_write()\n mutex_lock(\u0026rfkill_global_mutex)\n rfkill_set_block()\n nfc_rfkill_set_block()\n nfc_dev_down()\n device_lock(\u0026dev-\u003edev) \u003c- waits for device_lock\n\nThread B (nfc_unregister_device):\n nfc_unregister_device()\n device_lock(\u0026dev-\u003edev)\n rfkill_unregister()\n mutex_lock(\u0026rfkill_global_mutex) \u003c- waits for rfkill_global_mutex\n\nThis creates a classic ABBA deadlock scenario.\n\nFix this by moving rfkill_unregister() and rfkill_destroy() outside the\ndevice_lock critical section. Store the rfkill pointer in a local variable\nbefore releasing the lock, then call rfkill_unregister() after releasing\ndevice_lock.\n\nThis change is safe because rfkill_fop_write() holds rfkill_global_mutex\nwhile calling the rfkill callbacks, and rfkill_unregister() also acquires\nrfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will\nwait for any ongoing callback to complete before proceeding, and\ndevice_del() is only called after rfkill_unregister() returns, preventing\nany use-after-free.\n\nThe similar lock ordering in nfc_register_device() (device_lock -\u003e\nrfkill_global_mutex via rfkill_register) is safe because during\nregistration the device is not yet in rfkill_list, so no concurrent\nrfkill operations can occur on this device."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:30.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3"
},
{
"url": "https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012"
},
{
"url": "https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5"
},
{
"url": "https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4"
},
{
"url": "https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083"
},
{
"url": "https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda"
},
{
"url": "https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5"
}
],
"title": "net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71079",
"datePublished": "2026-01-13T15:34:44.136Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:30.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40035 (GCVE-0-2025-40035)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.
Initialize ff_up_compat to zero before filling valid fields.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 Version: 2d56f3a32c0e62f99c043d2579840f9731fe5855 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b317796013f666ae5040edbf0f230ec61496d42",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "877172b97786ed1678640dff0b2d35abb328844c",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "e63aade22a33e77b93c98c9f02db504d897a76b4",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "933b87c4590b42500299f00ff55f555903056803",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "fd8a23ecbc602d00e47b27f20b07350867d0ebe5",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "48c96b7e9e03516936d6deba54b5553097eae817",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "f5e1f3b85aadce74268c46676772c3e9fa79897e",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "d3366a04770eea807f2826cbdb96934dd8c9bf79",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak\n\nStruct ff_effect_compat is embedded twice inside\nuinput_ff_upload_compat, contains internal padding. In particular, there\nis a hole after struct ff_replay to satisfy alignment requirements for\nthe following union member. Without clearing the structure,\ncopy_to_user() may leak stack data to userspace.\n\nInitialize ff_up_compat to zero before filling valid fields."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:38.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b317796013f666ae5040edbf0f230ec61496d42"
},
{
"url": "https://git.kernel.org/stable/c/877172b97786ed1678640dff0b2d35abb328844c"
},
{
"url": "https://git.kernel.org/stable/c/e63aade22a33e77b93c98c9f02db504d897a76b4"
},
{
"url": "https://git.kernel.org/stable/c/933b87c4590b42500299f00ff55f555903056803"
},
{
"url": "https://git.kernel.org/stable/c/fd8a23ecbc602d00e47b27f20b07350867d0ebe5"
},
{
"url": "https://git.kernel.org/stable/c/48c96b7e9e03516936d6deba54b5553097eae817"
},
{
"url": "https://git.kernel.org/stable/c/f5e1f3b85aadce74268c46676772c3e9fa79897e"
},
{
"url": "https://git.kernel.org/stable/c/d3366a04770eea807f2826cbdb96934dd8c9bf79"
}
],
"title": "Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40035",
"datePublished": "2025-10-28T11:48:17.030Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:38.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40120 (GCVE-0-2025-40120)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
Prevent USB runtime PM (autosuspend) for AX88772* in bind.
usbnet enables runtime PM (autosuspend) by default, so disabling it via
the usb_driver flag is ineffective. On AX88772B, autosuspend shows no
measurable power saving with current driver (no link partner, admin
up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering
the PHY off on admin-down, not from USB autosuspend.
The real hazard is that with runtime PM enabled, ndo_open() (under RTNL)
may synchronously trigger autoresume (usb_autopm_get_interface()) into
asix_resume() while the USB PM lock is held. Resume paths then invoke
phylink/phylib and MDIO, which also expect RTNL, leading to possible
deadlocks or PM lock vs MDIO wake issues.
To avoid this, keep the device runtime-PM active by taking a usage
reference in ax88772_bind() and dropping it in unbind(). A non-zero PM
usage count blocks runtime suspend regardless of userspace policy
(.../power/control - pm_runtime_allow/forbid), making this approach
robust against sysfs overrides.
Holding a runtime-PM usage ref does not affect system-wide suspend;
system sleep/resume callbacks continue to run as before.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 Version: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 Version: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 Version: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 Version: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 Version: 4a2c7217cd5a87e85ceb761e307b030fe6db4805 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71a0ba7fdaf8d035426912a4ed7bf1738a81010c",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "3e96cd27ff1a004d84908c1b6cc68ac60913874e",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "724a9db84188f80ef60b1f21cc7b4e9c84e0cb64",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "1534517300e12f2930b6ff477b8820ff658afd11",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
},
{
"lessThan": "3d3c4cd5c62f24bb3cb4511b7a95df707635e00a",
"status": "affected",
"version": "4a2c7217cd5a87e85ceb761e307b030fe6db4805",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock\n\nPrevent USB runtime PM (autosuspend) for AX88772* in bind.\n\nusbnet enables runtime PM (autosuspend) by default, so disabling it via\nthe usb_driver flag is ineffective. On AX88772B, autosuspend shows no\nmeasurable power saving with current driver (no link partner, admin\nup/down). The ~0.453 W -\u003e ~0.248 W drop on v6.1 comes from phylib powering\nthe PHY off on admin-down, not from USB autosuspend.\n\nThe real hazard is that with runtime PM enabled, ndo_open() (under RTNL)\nmay synchronously trigger autoresume (usb_autopm_get_interface()) into\nasix_resume() while the USB PM lock is held. Resume paths then invoke\nphylink/phylib and MDIO, which also expect RTNL, leading to possible\ndeadlocks or PM lock vs MDIO wake issues.\n\nTo avoid this, keep the device runtime-PM active by taking a usage\nreference in ax88772_bind() and dropping it in unbind(). A non-zero PM\nusage count blocks runtime suspend regardless of userspace policy\n(.../power/control - pm_runtime_allow/forbid), making this approach\nrobust against sysfs overrides.\n\nHolding a runtime-PM usage ref does not affect system-wide suspend;\nsystem sleep/resume callbacks continue to run as before."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:24.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71a0ba7fdaf8d035426912a4ed7bf1738a81010c"
},
{
"url": "https://git.kernel.org/stable/c/3e96cd27ff1a004d84908c1b6cc68ac60913874e"
},
{
"url": "https://git.kernel.org/stable/c/724a9db84188f80ef60b1f21cc7b4e9c84e0cb64"
},
{
"url": "https://git.kernel.org/stable/c/1534517300e12f2930b6ff477b8820ff658afd11"
},
{
"url": "https://git.kernel.org/stable/c/9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4"
},
{
"url": "https://git.kernel.org/stable/c/3d3c4cd5c62f24bb3cb4511b7a95df707635e00a"
}
],
"title": "net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40120",
"datePublished": "2025-11-12T10:23:18.726Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:24.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23143 (GCVE-0-2025-23143)
Vulnerability from cvelistv5
Published
2025-05-01 12:55
Modified
2025-11-03 17:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
When I ran the repro [0] and waited a few seconds, I observed two
LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]
Reproduction Steps:
1) Mount CIFS
2) Add an iptables rule to drop incoming FIN packets for CIFS
3) Unmount CIFS
4) Unload the CIFS module
5) Remove the iptables rule
At step 3), the CIFS module calls sock_release() for the underlying
TCP socket, and it returns quickly. However, the socket remains in
FIN_WAIT_1 because incoming FIN packets are dropped.
At this point, the module's refcnt is 0 while the socket is still
alive, so the following rmmod command succeeds.
# ss -tan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445
# lsmod | grep cifs
cifs 1159168 0
This highlights a discrepancy between the lifetime of the CIFS module
and the underlying TCP socket. Even after CIFS calls sock_release()
and it returns, the TCP socket does not die immediately in order to
close the connection gracefully.
While this is generally fine, it causes an issue with LOCKDEP because
CIFS assigns a different lock class to the TCP socket's sk->sk_lock
using sock_lock_init_class_and_name().
Once an incoming packet is processed for the socket or a timer fires,
sk->sk_lock is acquired.
Then, LOCKDEP checks the lock context in check_wait_context(), where
hlock_class() is called to retrieve the lock class. However, since
the module has already been unloaded, hlock_class() logs a warning
and returns NULL, triggering the null-ptr-deref.
If LOCKDEP is enabled, we must ensure that a module calling
sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded
while such a socket is still alive to prevent this issue.
Let's hold the module reference in sock_lock_init_class_and_name()
and release it when the socket is freed in sk_prot_free().
Note that sock_lock_init() clears sk->sk_owner for svc_create_socket()
that calls sock_lock_init_class_and_name() for a listening socket,
which clones a socket by sk_clone_lock() without GFP_ZERO.
[0]:
CIFS_SERVER="10.0.0.137"
CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST"
DEV="enp0s3"
CRED="/root/WindowsCredential.txt"
MNT=$(mktemp -d /tmp/XXXXXX)
mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1
iptables -A INPUT -s ${CIFS_SERVER} -j DROP
for i in $(seq 10);
do
umount ${MNT}
rmmod cifs
sleep 1
done
rm -r ${MNT}
iptables -D INPUT -s ${CIFS_SERVER} -j DROP
[1]:
DEBUG_LOCKS_WARN_ON(1)
WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)
Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)
...
Call Trace:
<IRQ>
__lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)
lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)
_raw_spin_lock_nested (kernel/locking/spinlock.c:379)
tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)
...
BUG: kernel NULL pointer dereference, address: 00000000000000c4
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
PGD 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__lock_acquire (kernel/
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ed07536ed6731775219c1df7fa26a7588753e693 Version: ed07536ed6731775219c1df7fa26a7588753e693 Version: ed07536ed6731775219c1df7fa26a7588753e693 Version: ed07536ed6731775219c1df7fa26a7588753e693 Version: ed07536ed6731775219c1df7fa26a7588753e693 Version: ed07536ed6731775219c1df7fa26a7588753e693 Version: ed07536ed6731775219c1df7fa26a7588753e693 Version: ed07536ed6731775219c1df7fa26a7588753e693 Version: ed07536ed6731775219c1df7fa26a7588753e693 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:32:14.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sock.h",
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83083c5fc7cf9b0f136a42f26aba60da380f3601",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "b7489b753667bc9245958a4896c9419743083c27",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "d51e47e2ab6ef10a317d576075cf625cdbf96426",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "feda73ad44a5cc80f6bf796bb1099a3fe71576d4",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "905d43b8ad2436c240f844acb3ebcc7a99b8ebf1",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "5f7f6abd92b6c8dc8f19625ef93c3a18549ede04",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "c11247a21aab4b50a23c8b696727d7483de2f1e1",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "2155802d3313d7b8365935c6b8d6edc0ddd7eb94",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
},
{
"lessThan": "0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569",
"status": "affected",
"version": "ed07536ed6731775219c1df7fa26a7588753e693",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sock.h",
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.\n\nWhen I ran the repro [0] and waited a few seconds, I observed two\nLOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]\n\nReproduction Steps:\n\n 1) Mount CIFS\n 2) Add an iptables rule to drop incoming FIN packets for CIFS\n 3) Unmount CIFS\n 4) Unload the CIFS module\n 5) Remove the iptables rule\n\nAt step 3), the CIFS module calls sock_release() for the underlying\nTCP socket, and it returns quickly. However, the socket remains in\nFIN_WAIT_1 because incoming FIN packets are dropped.\n\nAt this point, the module\u0027s refcnt is 0 while the socket is still\nalive, so the following rmmod command succeeds.\n\n # ss -tan\n State Recv-Q Send-Q Local Address:Port Peer Address:Port\n FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445\n\n # lsmod | grep cifs\n cifs 1159168 0\n\nThis highlights a discrepancy between the lifetime of the CIFS module\nand the underlying TCP socket. Even after CIFS calls sock_release()\nand it returns, the TCP socket does not die immediately in order to\nclose the connection gracefully.\n\nWhile this is generally fine, it causes an issue with LOCKDEP because\nCIFS assigns a different lock class to the TCP socket\u0027s sk-\u003esk_lock\nusing sock_lock_init_class_and_name().\n\nOnce an incoming packet is processed for the socket or a timer fires,\nsk-\u003esk_lock is acquired.\n\nThen, LOCKDEP checks the lock context in check_wait_context(), where\nhlock_class() is called to retrieve the lock class. However, since\nthe module has already been unloaded, hlock_class() logs a warning\nand returns NULL, triggering the null-ptr-deref.\n\nIf LOCKDEP is enabled, we must ensure that a module calling\nsock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded\nwhile such a socket is still alive to prevent this issue.\n\nLet\u0027s hold the module reference in sock_lock_init_class_and_name()\nand release it when the socket is freed in sk_prot_free().\n\nNote that sock_lock_init() clears sk-\u003esk_owner for svc_create_socket()\nthat calls sock_lock_init_class_and_name() for a listening socket,\nwhich clones a socket by sk_clone_lock() without GFP_ZERO.\n\n[0]:\nCIFS_SERVER=\"10.0.0.137\"\nCIFS_PATH=\"//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST\"\nDEV=\"enp0s3\"\nCRED=\"/root/WindowsCredential.txt\"\n\nMNT=$(mktemp -d /tmp/XXXXXX)\nmount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1\n\niptables -A INPUT -s ${CIFS_SERVER} -j DROP\n\nfor i in $(seq 10);\ndo\n umount ${MNT}\n rmmod cifs\n sleep 1\ndone\n\nrm -r ${MNT}\n\niptables -D INPUT -s ${CIFS_SERVER} -j DROP\n\n[1]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\nModules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\n...\nCall Trace:\n \u003cIRQ\u003e\n __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)\n lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)\n _raw_spin_lock_nested (kernel/locking/spinlock.c:379)\n tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)\n...\n\nBUG: kernel NULL pointer dereference, address: 00000000000000c4\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__lock_acquire (kernel/\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:25:47.262Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83083c5fc7cf9b0f136a42f26aba60da380f3601"
},
{
"url": "https://git.kernel.org/stable/c/b7489b753667bc9245958a4896c9419743083c27"
},
{
"url": "https://git.kernel.org/stable/c/d51e47e2ab6ef10a317d576075cf625cdbf96426"
},
{
"url": "https://git.kernel.org/stable/c/feda73ad44a5cc80f6bf796bb1099a3fe71576d4"
},
{
"url": "https://git.kernel.org/stable/c/905d43b8ad2436c240f844acb3ebcc7a99b8ebf1"
},
{
"url": "https://git.kernel.org/stable/c/5f7f6abd92b6c8dc8f19625ef93c3a18549ede04"
},
{
"url": "https://git.kernel.org/stable/c/c11247a21aab4b50a23c8b696727d7483de2f1e1"
},
{
"url": "https://git.kernel.org/stable/c/2155802d3313d7b8365935c6b8d6edc0ddd7eb94"
},
{
"url": "https://git.kernel.org/stable/c/0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569"
}
],
"title": "net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23143",
"datePublished": "2025-05-01T12:55:33.348Z",
"dateReserved": "2025-01-11T14:28:41.512Z",
"dateUpdated": "2025-11-03T17:32:14.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40240 (GCVE-0-2025-40240)
Vulnerability from cvelistv5
Published
2025-12-04 15:31
Modified
2025-12-04 15:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: avoid NULL dereference when chunk data buffer is missing
chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.
chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb Version: 90017accff61ae89283ad9a51f9ac46ca01633fb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61cda2777b07d27459f5cac5a047c3edf9c8a1a9",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "08165c296597075763130919f2aae59b5822f016",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "cb9055ba30306ede4ad920002233d0659982f1cb",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "7a832b0f99be19df608cb75c023f8027b1789bd1",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "89b465b54227c245ddc7cc9ed822231af21123ef",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "441f0647f7673e0e64d4910ef61a5fb8f16bfb82",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\nto be NULL only.\n\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\notherwise chunk-\u003eskb is non-NULL because of outer if() condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:29.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"
},
{
"url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"
},
{
"url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"
},
{
"url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"
},
{
"url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"
},
{
"url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"
},
{
"url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"
},
{
"url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"
}
],
"title": "sctp: avoid NULL dereference when chunk data buffer is missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40240",
"datePublished": "2025-12-04T15:31:29.715Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T15:31:29.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71072 (GCVE-0-2025-71072)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
shmem: fix recovery on rename failures
maple_tree insertions can fail if we are seriously short on memory;
simple_offset_rename() does not recover well if it runs into that.
The same goes for simple_offset_rename_exchange().
Moreover, shmem_whiteout() expects that if it succeeds, the caller will
progress to d_move(), i.e. that shmem_rename2() won't fail past the
successful call of shmem_whiteout().
Not hard to fix, fortunately - mtree_store() can't fail if the index we
are trying to store into is already present in the tree as a singleton.
For simple_offset_rename_exchange() that's enough - we just need to be
careful about the order of operations.
For simple_offset_rename() solution is to preinsert the target into the
tree for new_dir; the rest can be done without any potentially failing
operations.
That preinsertion has to be done in shmem_rename2() rather than in
simple_offset_rename() itself - otherwise we'd need to deal with the
possibility of failure after successful shmem_whiteout().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/libfs.c",
"include/linux/fs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
},
{
"lessThan": "4642686699a46718d7f2fb5acd1e9d866a9d9cca",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
},
{
"lessThan": "e1b4c6a58304fd490124cc2b454d80edc786665c",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/libfs.c",
"include/linux/fs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nshmem: fix recovery on rename failures\n\nmaple_tree insertions can fail if we are seriously short on memory;\nsimple_offset_rename() does not recover well if it runs into that.\nThe same goes for simple_offset_rename_exchange().\n\nMoreover, shmem_whiteout() expects that if it succeeds, the caller will\nprogress to d_move(), i.e. that shmem_rename2() won\u0027t fail past the\nsuccessful call of shmem_whiteout().\n\nNot hard to fix, fortunately - mtree_store() can\u0027t fail if the index we\nare trying to store into is already present in the tree as a singleton.\n\nFor simple_offset_rename_exchange() that\u0027s enough - we just need to be\ncareful about the order of operations.\n\nFor simple_offset_rename() solution is to preinsert the target into the\ntree for new_dir; the rest can be done without any potentially failing\noperations.\n\nThat preinsertion has to be done in shmem_rename2() rather than in\nsimple_offset_rename() itself - otherwise we\u0027d need to deal with the\npossibility of failure after successful shmem_whiteout()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:22.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113"
},
{
"url": "https://git.kernel.org/stable/c/4642686699a46718d7f2fb5acd1e9d866a9d9cca"
},
{
"url": "https://git.kernel.org/stable/c/e1b4c6a58304fd490124cc2b454d80edc786665c"
}
],
"title": "shmem: fix recovery on rename failures",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71072",
"datePublished": "2026-01-13T15:31:26.089Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:22.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40319 (GCVE-0-2025-40319)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2025-12-08 00:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Sync pending IRQ work before freeing ring buffer
Fix a race where irq_work can be queued in bpf_ringbuf_commit()
but the ring buffer is freed before the work executes.
In the syzbot reproducer, a BPF program attached to sched_switch
triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
is freed before this work executes, the irq_work thread may accesses
freed memory.
Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
complete before freeing the buffer.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47626748a2a00068dbbd5836d19076637b4e235b",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "de2ce6b14bc3e565708a39bdba3ef9162aeffc72",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "e1828c7a8d8135e21ff6adaaa9458c32aae13b11",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "6451141103547f4efd774e912418a3b4318046c6",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "10ca3b2eec384628bc9f5d8190aed9427ad2dde6",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "430e15544f11f8de26b2b5109c7152f71b78295e",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "4e9077638301816a7d73fa1e1b4c1db4a7e3b59c",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Sync pending IRQ work before freeing ring buffer\n\nFix a race where irq_work can be queued in bpf_ringbuf_commit()\nbut the ring buffer is freed before the work executes.\nIn the syzbot reproducer, a BPF program attached to sched_switch\ntriggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer\nis freed before this work executes, the irq_work thread may accesses\nfreed memory.\nCalling `irq_work_sync(\u0026rb-\u003ework)` ensures that all pending irq_work\ncomplete before freeing the buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:46.448Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47626748a2a00068dbbd5836d19076637b4e235b"
},
{
"url": "https://git.kernel.org/stable/c/de2ce6b14bc3e565708a39bdba3ef9162aeffc72"
},
{
"url": "https://git.kernel.org/stable/c/e1828c7a8d8135e21ff6adaaa9458c32aae13b11"
},
{
"url": "https://git.kernel.org/stable/c/6451141103547f4efd774e912418a3b4318046c6"
},
{
"url": "https://git.kernel.org/stable/c/10ca3b2eec384628bc9f5d8190aed9427ad2dde6"
},
{
"url": "https://git.kernel.org/stable/c/430e15544f11f8de26b2b5109c7152f71b78295e"
},
{
"url": "https://git.kernel.org/stable/c/4e9077638301816a7d73fa1e1b4c1db4a7e3b59c"
}
],
"title": "bpf: Sync pending IRQ work before freeing ring buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40319",
"datePublished": "2025-12-08T00:46:46.448Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:46.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40259 (GCVE-0-2025-40259)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: sg: Do not sleep in atomic context
sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may
sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead
of disabled.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 97d27b0dd015e980ade63fda111fd1353276e28b Version: 97d27b0dd015e980ade63fda111fd1353276e28b Version: 97d27b0dd015e980ade63fda111fd1353276e28b Version: 97d27b0dd015e980ade63fda111fd1353276e28b Version: 97d27b0dd015e980ade63fda111fd1353276e28b Version: 97d27b0dd015e980ade63fda111fd1353276e28b Version: 97d27b0dd015e980ade63fda111fd1353276e28b Version: 97d27b0dd015e980ade63fda111fd1353276e28b Version: 8d1f3b474a89b42f957ba3bae959dd3cd16531ca Version: fa55ef3f803fc7c20be0ab809e6278c31febd875 Version: 6af37613289cfd32516ada47e444b48a638829c8 Version: 4a8e8e0af9a520a685e0ab2d489327d5220d7ce2 Version: ae9b6ae2e77947534e255903627cc62746ea77e2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11eeee00c94d770d4e45364060b5f1526dfe567b",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "db6ac8703ab2b473e1ec845f57f6dd961a388d9f",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "109afbd88ecc46b6cc7551367222387e97999765",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "3dfd520c3b4ffe69e0630c580717d40447ab842f",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "b343cee5df7e750d9033fba33e96fc4399fa88a5",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "6983d8375c040bb449d2187f4a57a20de01244fe",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"lessThan": "90449f2d1e1f020835cba5417234636937dd657e",
"status": "affected",
"version": "97d27b0dd015e980ade63fda111fd1353276e28b",
"versionType": "git"
},
{
"status": "affected",
"version": "8d1f3b474a89b42f957ba3bae959dd3cd16531ca",
"versionType": "git"
},
{
"status": "affected",
"version": "fa55ef3f803fc7c20be0ab809e6278c31febd875",
"versionType": "git"
},
{
"status": "affected",
"version": "6af37613289cfd32516ada47e444b48a638829c8",
"versionType": "git"
},
{
"status": "affected",
"version": "4a8e8e0af9a520a685e0ab2d489327d5220d7ce2",
"versionType": "git"
},
{
"status": "affected",
"version": "ae9b6ae2e77947534e255903627cc62746ea77e2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sg: Do not sleep in atomic context\n\nsg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may\nsleep. Hence, call sg_finish_rem_req() with interrupts enabled instead\nof disabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:58.302Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11eeee00c94d770d4e45364060b5f1526dfe567b"
},
{
"url": "https://git.kernel.org/stable/c/db6ac8703ab2b473e1ec845f57f6dd961a388d9f"
},
{
"url": "https://git.kernel.org/stable/c/109afbd88ecc46b6cc7551367222387e97999765"
},
{
"url": "https://git.kernel.org/stable/c/3dfd520c3b4ffe69e0630c580717d40447ab842f"
},
{
"url": "https://git.kernel.org/stable/c/b343cee5df7e750d9033fba33e96fc4399fa88a5"
},
{
"url": "https://git.kernel.org/stable/c/b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f"
},
{
"url": "https://git.kernel.org/stable/c/6983d8375c040bb449d2187f4a57a20de01244fe"
},
{
"url": "https://git.kernel.org/stable/c/90449f2d1e1f020835cba5417234636937dd657e"
}
],
"title": "scsi: sg: Do not sleep in atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40259",
"datePublished": "2025-12-04T16:08:19.904Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:38:58.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40171 (GCVE-0-2025-40171)
Vulnerability from cvelistv5
Published
2025-11-12 10:46
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
It’s possible for more than one async command to be in flight from
__nvmet_fc_send_ls_req. For each command, a tgtport reference is taken.
In the current code, only one put work item is queued at a time, which
results in a leaked reference.
To fix this, move the work item to the nvmet_fc_ls_req_op struct, which
already tracks all resources related to the command.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5e0bc09a52b6169ce90f7ac6e195791adb16cec4 Version: 9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8 Version: eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30 Version: 710c69dbaccdac312e32931abcb8499c1525d397 Version: 710c69dbaccdac312e32931abcb8499c1525d397 Version: 710c69dbaccdac312e32931abcb8499c1525d397 Version: 1d86f79287206deec36d63b89c741cf542b6cadd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11269c08013f4ee8b8f5edc6c56700acb34092d0",
"status": "affected",
"version": "5e0bc09a52b6169ce90f7ac6e195791adb16cec4",
"versionType": "git"
},
{
"lessThan": "a28112cc55013cd8cbd5d36b5115a5b851151bd9",
"status": "affected",
"version": "9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8",
"versionType": "git"
},
{
"lessThan": "060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c",
"status": "affected",
"version": "eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30",
"versionType": "git"
},
{
"lessThan": "7331925c247b03b7767b8cd93cfe1b7aa2377850",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"lessThan": "7a619f8c869117ffed08365b377f66b7e1d941b4",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"lessThan": "db5a5406fb7e5337a074385c7a3e53c77f2c1bd3",
"status": "affected",
"version": "710c69dbaccdac312e32931abcb8499c1525d397",
"versionType": "git"
},
{
"status": "affected",
"version": "1d86f79287206deec36d63b89c741cf542b6cadd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: move lsop put work to nvmet_fc_ls_req_op\n\nIt\u2019s possible for more than one async command to be in flight from\n__nvmet_fc_send_ls_req. For each command, a tgtport reference is taken.\n\nIn the current code, only one put work item is queued at a time, which\nresults in a leaked reference.\n\nTo fix this, move the work item to the nvmet_fc_ls_req_op struct, which\nalready tracks all resources related to the command."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:25.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11269c08013f4ee8b8f5edc6c56700acb34092d0"
},
{
"url": "https://git.kernel.org/stable/c/a28112cc55013cd8cbd5d36b5115a5b851151bd9"
},
{
"url": "https://git.kernel.org/stable/c/060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c"
},
{
"url": "https://git.kernel.org/stable/c/7331925c247b03b7767b8cd93cfe1b7aa2377850"
},
{
"url": "https://git.kernel.org/stable/c/7a619f8c869117ffed08365b377f66b7e1d941b4"
},
{
"url": "https://git.kernel.org/stable/c/db5a5406fb7e5337a074385c7a3e53c77f2c1bd3"
}
],
"title": "nvmet-fc: move lsop put work to nvmet_fc_ls_req_op",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40171",
"datePublished": "2025-11-12T10:46:52.289Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:25.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71151 (GCVE-0-2025-71151)
Vulnerability from cvelistv5
Published
2026-01-23 14:15
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix memory and information leak in smb3_reconfigure()
In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
function returns immediately without freeing and erasing the newly
allocated new_password and new_password2. This causes both a memory leak
and a potential information leak.
Fix this by calling kfree_sensitive() on both password buffers before
returning in this error case.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc390b2737205163e48cc1655f6a0c8cd55b02fc",
"status": "affected",
"version": "880a661e67648a3ffe85405e8de5f50650a3c0b2",
"versionType": "git"
},
{
"lessThan": "5679cc90bb5415801fa29041da0319d9e15d295d",
"status": "affected",
"version": "0e4145774c016530bf99afb3675a1a0593c35642",
"versionType": "git"
},
{
"lessThan": "bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6",
"status": "affected",
"version": "0f0e357902957fba28ed31bde0d6921c6bd1485d",
"versionType": "git"
},
{
"lessThan": "cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d",
"status": "affected",
"version": "0f0e357902957fba28ed31bde0d6921c6bd1485d",
"versionType": "git"
},
{
"status": "affected",
"version": "674ba43944dab8e8f87434e25d9d10c5152584bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory and information leak in smb3_reconfigure()\n\nIn smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the\nfunction returns immediately without freeing and erasing the newly\nallocated new_password and new_password2. This causes both a memory leak\nand a potential information leak.\n\nFix this by calling kfree_sensitive() on both password buffers before\nreturning in this error case."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:48.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc"
},
{
"url": "https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d"
},
{
"url": "https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6"
},
{
"url": "https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d"
}
],
"title": "cifs: Fix memory and information leak in smb3_reconfigure()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71151",
"datePublished": "2026-01-23T14:15:17.916Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:48.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38022 (GCVE-0-2025-38022)
Vulnerability from cvelistv5
Published
2025-06-18 09:28
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
strlen+0x93/0xa0 lib/string.c:420
__fortify_strlen include/linux/fortify-string.h:268 [inline]
get_kobj_path_length lib/kobject.c:118 [inline]
kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
ib_register_device drivers/infiniband/core/device.c:1472 [inline]
ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
__sys_sendmsg+0x16d/0x220 net/socket.c:2652
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
This problem is similar to the problem that the
commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
fixes.
The root cause is: the function ib_device_rename() renames the name with
lock. But in the function kobject_uevent(), this name is accessed without
lock protection at the same time.
The solution is to add the lock protection when this name is accessed in
the function kobject_uevent().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 53e9a5a692f839780084ad81dbd461ec917f74f7 Version: 779e0bf47632c609c59f527f9711ecd3214dccb0 Version: 779e0bf47632c609c59f527f9711ecd3214dccb0 Version: 779e0bf47632c609c59f527f9711ecd3214dccb0 Version: 779e0bf47632c609c59f527f9711ecd3214dccb0 Version: 779e0bf47632c609c59f527f9711ecd3214dccb0 Version: 779e0bf47632c609c59f527f9711ecd3214dccb0 Version: 9b54e31fd08f8d8db507d021c88e760d5f8e4640 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba467b6870ea2a73590478d9612d6ea1dcdd68b7",
"status": "affected",
"version": "53e9a5a692f839780084ad81dbd461ec917f74f7",
"versionType": "git"
},
{
"lessThan": "5629064f92f0de6d6b3572055cd35361c3ad953c",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "312dae3499106ec8cb7442ada12be080aa9fbc3b",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "17d3103325e891e10994e7aa28d12bea04dc2c60",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "10c7f1c647da3b77ef8827d974a97b6530b64df0",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "03df57ad4b0ff9c5a93ff981aba0b42578ad1571",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"lessThan": "d0706bfd3ee40923c001c6827b786a309e2a8713",
"status": "affected",
"version": "779e0bf47632c609c59f527f9711ecd3214dccb0",
"versionType": "git"
},
{
"status": "affected",
"version": "9b54e31fd08f8d8db507d021c88e760d5f8e4640",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.30",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem\n\nCall Trace:\n\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n strlen+0x93/0xa0 lib/string.c:420\n __fortify_strlen include/linux/fortify-string.h:268 [inline]\n get_kobj_path_length lib/kobject.c:118 [inline]\n kobject_get_path+0x3f/0x2a0 lib/kobject.c:158\n kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545\n ib_register_device drivers/infiniband/core/device.c:1472 [inline]\n ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393\n rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552\n rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225\n nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796\n rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmsg+0x16d/0x220 net/socket.c:2652\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis problem is similar to the problem that the\ncommit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\")\nfixes.\n\nThe root cause is: the function ib_device_rename() renames the name with\nlock. But in the function kobject_uevent(), this name is accessed without\nlock protection at the same time.\n\nThe solution is to add the lock protection when this name is accessed in\nthe function kobject_uevent()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:58.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba467b6870ea2a73590478d9612d6ea1dcdd68b7"
},
{
"url": "https://git.kernel.org/stable/c/5629064f92f0de6d6b3572055cd35361c3ad953c"
},
{
"url": "https://git.kernel.org/stable/c/312dae3499106ec8cb7442ada12be080aa9fbc3b"
},
{
"url": "https://git.kernel.org/stable/c/17d3103325e891e10994e7aa28d12bea04dc2c60"
},
{
"url": "https://git.kernel.org/stable/c/10c7f1c647da3b77ef8827d974a97b6530b64df0"
},
{
"url": "https://git.kernel.org/stable/c/03df57ad4b0ff9c5a93ff981aba0b42578ad1571"
},
{
"url": "https://git.kernel.org/stable/c/d0706bfd3ee40923c001c6827b786a309e2a8713"
}
],
"title": "RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38022",
"datePublished": "2025-06-18T09:28:29.218Z",
"dateReserved": "2025-04-16T04:51:23.977Z",
"dateUpdated": "2026-01-19T12:17:58.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39873 (GCVE-0-2025-39873)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
can_put_echo_skb() takes ownership of the SKB and it may be freed
during or after the call.
However, xilinx_can xcan_write_frame() keeps using SKB after the call.
Fix that by only calling can_put_echo_skb() after the code is done
touching the SKB.
The tx_lock is held for the entire xcan_write_frame() execution and
also on the can_get_echo_skb() side so the order of operations does not
matter.
An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb
memory") did not move the can_put_echo_skb() call far enough.
[mkl: add "commit" in front of sha1 in patch description]
[mkl: fix indention]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c Version: 1598efe57b3e768056e4ca56cb9cf33111e68d1c |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:20.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/xilinx_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e202ffd9e54538ef67ec301ebd6d9da4823466c9",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "1139321161a3ba5e45e61e0738b37f42f20bc57a",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "94b050726288a56a6b8ff55aa641f2fedbd3b44c",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "725b33deebd6e4c96fe7893f384510a54258f28f",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "668cc1e3bb21101d074e430de1b7ba8fd10189e7",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
},
{
"lessThan": "ef79f00be72bd81d2e1e6f060d83cf7e425deee4",
"status": "affected",
"version": "1598efe57b3e768056e4ca56cb9cf33111e68d1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/xilinx_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB\n\ncan_put_echo_skb() takes ownership of the SKB and it may be freed\nduring or after the call.\n\nHowever, xilinx_can xcan_write_frame() keeps using SKB after the call.\n\nFix that by only calling can_put_echo_skb() after the code is done\ntouching the SKB.\n\nThe tx_lock is held for the entire xcan_write_frame() execution and\nalso on the can_get_echo_skb() side so the order of operations does not\nmatter.\n\nAn earlier fix commit 3d3c817c3a40 (\"can: xilinx_can: Fix usage of skb\nmemory\") did not move the can_put_echo_skb() call far enough.\n\n[mkl: add \"commit\" in front of sha1 in patch description]\n[mkl: fix indention]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:10.369Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e202ffd9e54538ef67ec301ebd6d9da4823466c9"
},
{
"url": "https://git.kernel.org/stable/c/1139321161a3ba5e45e61e0738b37f42f20bc57a"
},
{
"url": "https://git.kernel.org/stable/c/94b050726288a56a6b8ff55aa641f2fedbd3b44c"
},
{
"url": "https://git.kernel.org/stable/c/725b33deebd6e4c96fe7893f384510a54258f28f"
},
{
"url": "https://git.kernel.org/stable/c/668cc1e3bb21101d074e430de1b7ba8fd10189e7"
},
{
"url": "https://git.kernel.org/stable/c/ef79f00be72bd81d2e1e6f060d83cf7e425deee4"
}
],
"title": "can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39873",
"datePublished": "2025-09-23T06:00:46.157Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:20.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56581 (GCVE-0-2024-56581)
Vulnerability from cvelistv5
Published
2024-12-27 14:23
Modified
2025-11-03 20:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: ref-verify: fix use-after-free after invalid ref action
At btrfs_ref_tree_mod() after we successfully inserted the new ref entry
(local variable 'ref') into the respective block entry's rbtree (local
variable 'be'), if we find an unexpected action of BTRFS_DROP_DELAYED_REF,
we error out and free the ref entry without removing it from the block
entry's rbtree. Then in the error path of btrfs_ref_tree_mod() we call
btrfs_free_ref_cache(), which iterates over all block entries and then
calls free_block_entry() for each one, and there we will trigger a
use-after-free when we are called against the block entry to which we
added the freed ref entry to its rbtree, since the rbtree still points
to the block entry, as we didn't remove it from the rbtree before freeing
it in the error path at btrfs_ref_tree_mod(). Fix this by removing the
new ref entry from the rbtree before freeing it.
Syzbot report this with the following stack traces:
BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615
__btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314
btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline]
btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23
btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482
btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293
vfs_unlink+0x365/0x650 fs/namei.c:4469
do_unlinkat+0x4ae/0x830 fs/namei.c:4533
__do_sys_unlinkat fs/namei.c:4576 [inline]
__se_sys_unlinkat fs/namei.c:4569 [inline]
__x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BTRFS error (device loop0 state EA): Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1
__btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521
update_ref_for_cow+0x96a/0x11f0
btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
__btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
__btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
__btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
__btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615
__btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
__btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
btrfs_update_delayed_i
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fd708b81d972a0714b02a60eb4792fdbf15868c4 Version: fd708b81d972a0714b02a60eb4792fdbf15868c4 Version: fd708b81d972a0714b02a60eb4792fdbf15868c4 Version: fd708b81d972a0714b02a60eb4792fdbf15868c4 Version: fd708b81d972a0714b02a60eb4792fdbf15868c4 Version: fd708b81d972a0714b02a60eb4792fdbf15868c4 Version: fd708b81d972a0714b02a60eb4792fdbf15868c4 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:42:39.280771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:24.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:49:58.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ref-verify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfb9fe7de61f34cc241ab3900bdde93341096e0e",
"status": "affected",
"version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
"versionType": "git"
},
{
"lessThan": "6fd018aa168e472ce35be32296d109db6adb87ea",
"status": "affected",
"version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
"versionType": "git"
},
{
"lessThan": "d2b85ce0561fde894e28fa01bd5d32820d585006",
"status": "affected",
"version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
"versionType": "git"
},
{
"lessThan": "6370db28af9a8ae3bbdfe97f8a48f8f995e144cf",
"status": "affected",
"version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
"versionType": "git"
},
{
"lessThan": "4275ac2741941c9c7c2293619fdbacb9f70ba85b",
"status": "affected",
"version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
"versionType": "git"
},
{
"lessThan": "a6f9e7a0bf1185c9070c0de03bb85eafb9abd650",
"status": "affected",
"version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
"versionType": "git"
},
{
"lessThan": "7c4e39f9d2af4abaf82ca0e315d1fd340456620f",
"status": "affected",
"version": "fd708b81d972a0714b02a60eb4792fdbf15868c4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ref-verify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ref-verify: fix use-after-free after invalid ref action\n\nAt btrfs_ref_tree_mod() after we successfully inserted the new ref entry\n(local variable \u0027ref\u0027) into the respective block entry\u0027s rbtree (local\nvariable \u0027be\u0027), if we find an unexpected action of BTRFS_DROP_DELAYED_REF,\nwe error out and free the ref entry without removing it from the block\nentry\u0027s rbtree. Then in the error path of btrfs_ref_tree_mod() we call\nbtrfs_free_ref_cache(), which iterates over all block entries and then\ncalls free_block_entry() for each one, and there we will trigger a\nuse-after-free when we are called against the block entry to which we\nadded the freed ref entry to its rbtree, since the rbtree still points\nto the block entry, as we didn\u0027t remove it from the rbtree before freeing\nit in the error path at btrfs_ref_tree_mod(). Fix this by removing the\nnew ref entry from the rbtree before freeing it.\n\nSyzbot report this with the following stack traces:\n\n BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615\n __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523\n update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512\n btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314\n btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline]\n btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23\n btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482\n btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293\n vfs_unlink+0x365/0x650 fs/namei.c:4469\n do_unlinkat+0x4ae/0x830 fs/namei.c:4533\n __do_sys_unlinkat fs/namei.c:4576 [inline]\n __se_sys_unlinkat fs/namei.c:4569 [inline]\n __x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n BTRFS error (device loop0 state EA): Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1\n __btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521\n update_ref_for_cow+0x96a/0x11f0\n btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411\n __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030\n btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]\n __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137\n __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171\n btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313\n prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586\n relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611\n btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081\n btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377\n __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161\n btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538\n BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615\n __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523\n update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512\n btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411\n __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030\n btrfs_update_delayed_i\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:58:58.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfb9fe7de61f34cc241ab3900bdde93341096e0e"
},
{
"url": "https://git.kernel.org/stable/c/6fd018aa168e472ce35be32296d109db6adb87ea"
},
{
"url": "https://git.kernel.org/stable/c/d2b85ce0561fde894e28fa01bd5d32820d585006"
},
{
"url": "https://git.kernel.org/stable/c/6370db28af9a8ae3bbdfe97f8a48f8f995e144cf"
},
{
"url": "https://git.kernel.org/stable/c/4275ac2741941c9c7c2293619fdbacb9f70ba85b"
},
{
"url": "https://git.kernel.org/stable/c/a6f9e7a0bf1185c9070c0de03bb85eafb9abd650"
},
{
"url": "https://git.kernel.org/stable/c/7c4e39f9d2af4abaf82ca0e315d1fd340456620f"
}
],
"title": "btrfs: ref-verify: fix use-after-free after invalid ref action",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56581",
"datePublished": "2024-12-27T14:23:23.193Z",
"dateReserved": "2024-12-27T14:03:06.000Z",
"dateUpdated": "2025-11-03T20:49:58.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68783 (GCVE-0-2025-68783)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-mixer: us16x08: validate meter packet indices
get_meter_levels_from_urb() parses the 64-byte meter packets sent by
the device and fills the per-channel arrays meter_level[],
comp_level[] and master_level[] in struct snd_us16x08_meter_store.
Currently the function derives the channel index directly from the
meter packet (MUB2(meter_urb, s) - 1) and uses it to index those
arrays without validating the range. If the packet contains a
negative or out-of-range channel number, the driver may write past
the end of these arrays.
Introduce a local channel variable and validate it before updating the
arrays. We reject negative indices, limit meter_level[] and
comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]
updates with ARRAY_SIZE(master_level).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d2bb390a2081a36ffe906724d2848d846f2aeb29 Version: d2bb390a2081a36ffe906724d2848d846f2aeb29 Version: d2bb390a2081a36ffe906724d2848d846f2aeb29 Version: d2bb390a2081a36ffe906724d2848d846f2aeb29 Version: d2bb390a2081a36ffe906724d2848d846f2aeb29 Version: d2bb390a2081a36ffe906724d2848d846f2aeb29 Version: d2bb390a2081a36ffe906724d2848d846f2aeb29 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_us16x08.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53461710a95e15ac1f6542450943a492ecf8e550",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "2168866396bd28ec4f3c8da0fbc7d08b5bd4f053",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "cde47f4ccad6751ac36b7471572ddf38ee91870c",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "2f21a7cbaaa93926f5be15bc095b9c57c35748d9",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "a8ad320efb663be30b794e3dd3e829301c0d0ed3",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "eaa95228b8a56c4880a182c0350d67922b22408f",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_us16x08.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-mixer: us16x08: validate meter packet indices\n\nget_meter_levels_from_urb() parses the 64-byte meter packets sent by\nthe device and fills the per-channel arrays meter_level[],\ncomp_level[] and master_level[] in struct snd_us16x08_meter_store.\n\nCurrently the function derives the channel index directly from the\nmeter packet (MUB2(meter_urb, s) - 1) and uses it to index those\narrays without validating the range. If the packet contains a\nnegative or out-of-range channel number, the driver may write past\nthe end of these arrays.\n\nIntroduce a local channel variable and validate it before updating the\narrays. We reject negative indices, limit meter_level[] and\ncomp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]\nupdates with ARRAY_SIZE(master_level)."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:29.694Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550"
},
{
"url": "https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053"
},
{
"url": "https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c"
},
{
"url": "https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9"
},
{
"url": "https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3"
},
{
"url": "https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f"
},
{
"url": "https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e"
}
],
"title": "ALSA: usb-mixer: us16x08: validate meter packet indices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68783",
"datePublished": "2026-01-13T15:28:57.609Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:29.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40269 (GCVE-0-2025-40269)
Vulnerability from cvelistv5
Published
2025-12-06 21:50
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
The PCM stream data in USB-audio driver is transferred over USB URB
packet buffers, and each packet size is determined dynamically. The
packet sizes are limited by some factors such as wMaxPacketSize USB
descriptor. OTOH, in the current code, the actually used packet sizes
are determined only by the rate and the PPS, which may be bigger than
the size limit above. This results in a buffer overflow, as reported
by syzbot.
Basically when the limit is smaller than the calculated packet size,
it implies that something is wrong, most likely a weird USB
descriptor. So the best option would be just to return an error at
the parameter setup time before doing any further operations.
This patch introduces such a sanity check, and returns -EINVAL when
the packet size is greater than maxpacksize. The comparison with
ep->packsize[1] alone should suffice since it's always equal or
greater than ep->packsize[0].
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 02c56650f3c118d3752122996d96173d26bb13aa Version: 5ef30e443e6d3654cccecec99cf481a69a0a6d3b Version: 99703c921864a318e3e8aae74fde071b1ff35bea Version: 2d50acd7dbd0682a56968ad9551341d7fc5b6eaf Version: aba41867dd66939d336fdf604e4d73b805d8039f Version: d288dc74f8cf95cb7ae0aaf245b7128627a49bf3 Version: f0bd62b64016508938df9babe47f65c2c727d25c Version: f0bd62b64016508938df9babe47f65c2c727d25c Version: f0bd62b64016508938df9babe47f65c2c727d25c Version: f0bd62b64016508938df9babe47f65c2c727d25c Version: f0bd62b64016508938df9babe47f65c2c727d25c Version: f0bd62b64016508938df9babe47f65c2c727d25c Version: f0bd62b64016508938df9babe47f65c2c727d25c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "480a1490c595a242f27493a4544b3efb21b29f6a",
"status": "affected",
"version": "02c56650f3c118d3752122996d96173d26bb13aa",
"versionType": "git"
},
{
"lessThan": "ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41",
"status": "affected",
"version": "5ef30e443e6d3654cccecec99cf481a69a0a6d3b",
"versionType": "git"
},
{
"lessThan": "282aba56713bbc58155716b55ca7222b2d9cf3c8",
"status": "affected",
"version": "99703c921864a318e3e8aae74fde071b1ff35bea",
"versionType": "git"
},
{
"lessThan": "c4dc012b027c9eb101583011089dea14d744e314",
"status": "affected",
"version": "2d50acd7dbd0682a56968ad9551341d7fc5b6eaf",
"versionType": "git"
},
{
"lessThan": "e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360",
"status": "affected",
"version": "aba41867dd66939d336fdf604e4d73b805d8039f",
"versionType": "git"
},
{
"lessThan": "d67dde02049e632ba58d3c44a164a74b6a737154",
"status": "affected",
"version": "d288dc74f8cf95cb7ae0aaf245b7128627a49bf3",
"versionType": "git"
},
{
"lessThan": "6a5da3fa80affc948923f20a4e086177f505e86e",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "217d47255a2ec8b246f2725f5db9ac3f1d4109d7",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "ef592bf2232a2daa9fffa8881881fc9957ea56e9",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "ece3b981bb6620e47fac826a2156c090b1a936a0",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "98e9d5e33bda8db875cc1a4fe99c192658e45ab6",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "d2c04f20ccc6c0d219e6d3038bab45bc66a178ad",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.7.*",
"status": "unaffected",
"version": "5.7.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.230",
"versionStartIncluding": "4.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.230",
"versionStartIncluding": "4.9.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.188",
"versionStartIncluding": "4.14.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.132",
"versionStartIncluding": "4.19.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.51",
"versionStartIncluding": "5.4.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.8",
"versionStartIncluding": "5.7.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential overflow of PCM transfer buffer\n\nThe PCM stream data in USB-audio driver is transferred over USB URB\npacket buffers, and each packet size is determined dynamically. The\npacket sizes are limited by some factors such as wMaxPacketSize USB\ndescriptor. OTOH, in the current code, the actually used packet sizes\nare determined only by the rate and the PPS, which may be bigger than\nthe size limit above. This results in a buffer overflow, as reported\nby syzbot.\n\nBasically when the limit is smaller than the calculated packet size,\nit implies that something is wrong, most likely a weird USB\ndescriptor. So the best option would be just to return an error at\nthe parameter setup time before doing any further operations.\n\nThis patch introduces such a sanity check, and returns -EINVAL when\nthe packet size is greater than maxpacksize. The comparison with\nep-\u003epacksize[1] alone should suffice since it\u0027s always equal or\ngreater than ep-\u003epacksize[0]."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:20.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a"
},
{
"url": "https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41"
},
{
"url": "https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8"
},
{
"url": "https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314"
},
{
"url": "https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360"
},
{
"url": "https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154"
},
{
"url": "https://git.kernel.org/stable/c/6a5da3fa80affc948923f20a4e086177f505e86e"
},
{
"url": "https://git.kernel.org/stable/c/217d47255a2ec8b246f2725f5db9ac3f1d4109d7"
},
{
"url": "https://git.kernel.org/stable/c/ef592bf2232a2daa9fffa8881881fc9957ea56e9"
},
{
"url": "https://git.kernel.org/stable/c/ece3b981bb6620e47fac826a2156c090b1a936a0"
},
{
"url": "https://git.kernel.org/stable/c/98e9d5e33bda8db875cc1a4fe99c192658e45ab6"
},
{
"url": "https://git.kernel.org/stable/c/d2c04f20ccc6c0d219e6d3038bab45bc66a178ad"
},
{
"url": "https://git.kernel.org/stable/c/05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf"
}
],
"title": "ALSA: usb-audio: Fix potential overflow of PCM transfer buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40269",
"datePublished": "2025-12-06T21:50:50.229Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2026-01-02T15:33:20.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40220 (GCVE-0-2025-40220)
Vulnerability from cvelistv5
Published
2025-12-04 14:50
Modified
2025-12-04 14:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix livelock in synchronous file put from fuseblk workers
I observed a hang when running generic/323 against a fuseblk server.
This test opens a file, initiates a lot of AIO writes to that file
descriptor, and closes the file descriptor before the writes complete.
Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for
responses from the fuseblk server:
# cat /proc/372265/task/372313/stack
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_do_getattr+0xfc/0x1f0 [fuse]
[<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse]
[<0>] aio_read+0x130/0x1e0
[<0>] io_submit_one+0x542/0x860
[<0>] __x64_sys_io_submit+0x98/0x1a0
[<0>] do_syscall_64+0x37/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
But the /weird/ part is that the fuseblk server threads are waiting for
responses from itself:
# cat /proc/372210/task/372232/stack
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_file_put+0x9a/0xd0 [fuse]
[<0>] fuse_release+0x36/0x50 [fuse]
[<0>] __fput+0xec/0x2b0
[<0>] task_work_run+0x55/0x90
[<0>] syscall_exit_to_user_mode+0xe9/0x100
[<0>] do_syscall_64+0x43/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
The fuseblk server is fuse2fs so there's nothing all that exciting in
the server itself. So why is the fuse server calling fuse_file_put?
The commit message for the fstest sheds some light on that:
"By closing the file descriptor before calling io_destroy, you pretty
much guarantee that the last put on the ioctx will be done in interrupt
context (during I/O completion).
Aha. AIO fgets a new struct file from the fd when it queues the ioctx.
The completion of the FUSE_WRITE command from userspace causes the fuse
server to call the AIO completion function. The completion puts the
struct file, queuing a delayed fput to the fuse server task. When the
fuse server task returns to userspace, it has to run the delayed fput,
which in the case of a fuseblk server, it does synchronously.
Sending the FUSE_RELEASE command sychronously from fuse server threads
is a bad idea because a client program can initiate enough simultaneous
AIOs such that all the fuse server threads end up in delayed_fput, and
now there aren't any threads left to handle the queued fuse commands.
Fix this by only using asynchronous fputs when closing files, and leave
a comment explaining why.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 Version: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 Version: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 Version: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 Version: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 Version: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 Version: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 Version: 9efe56738fecd591b5bf366a325440f9b457ebd6 Version: 5c46eb076e0a1b2c1769287cd6942e4594ade1b1 Version: 83e6726210d6c815ce044437106c738eda5ff6f6 Version: 23d154c71721fd0fa6199851078f32e6bd765664 Version: ca3edc920f5fd7d8ac040caaf109f925c24620a0 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "548e1f2bac1d4df91a6138f26bb4ab00323fd948",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "cfd1aa3e2b71f3327cb373c45a897c9028c62b35",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "83b375c6efef69b1066ad2d79601221e7892745a",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "bfd17b6138df0122a95989457d8e18ce0b86165e",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "b26923512dbe57ae4917bafd31396d22a9d1691a",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "f19a1390af448d9e193c08e28ea5f727bf3c3049",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "26e5c67deb2e1f42a951f022fdf5b9f7eb747b01",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"status": "affected",
"version": "9efe56738fecd591b5bf366a325440f9b457ebd6",
"versionType": "git"
},
{
"status": "affected",
"version": "5c46eb076e0a1b2c1769287cd6942e4594ade1b1",
"versionType": "git"
},
{
"status": "affected",
"version": "83e6726210d6c815ce044437106c738eda5ff6f6",
"versionType": "git"
},
{
"status": "affected",
"version": "23d154c71721fd0fa6199851078f32e6bd765664",
"versionType": "git"
},
{
"status": "affected",
"version": "ca3edc920f5fd7d8ac040caaf109f925c24620a0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.33.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.34.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.35.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.37.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix livelock in synchronous file put from fuseblk workers\n\nI observed a hang when running generic/323 against a fuseblk server.\nThis test opens a file, initiates a lot of AIO writes to that file\ndescriptor, and closes the file descriptor before the writes complete.\nUnsurprisingly, the AIO exerciser threads are mostly stuck waiting for\nresponses from the fuseblk server:\n\n# cat /proc/372265/task/372313/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_do_getattr+0xfc/0x1f0 [fuse]\n[\u003c0\u003e] fuse_file_read_iter+0xbe/0x1c0 [fuse]\n[\u003c0\u003e] aio_read+0x130/0x1e0\n[\u003c0\u003e] io_submit_one+0x542/0x860\n[\u003c0\u003e] __x64_sys_io_submit+0x98/0x1a0\n[\u003c0\u003e] do_syscall_64+0x37/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nBut the /weird/ part is that the fuseblk server threads are waiting for\nresponses from itself:\n\n# cat /proc/372210/task/372232/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_file_put+0x9a/0xd0 [fuse]\n[\u003c0\u003e] fuse_release+0x36/0x50 [fuse]\n[\u003c0\u003e] __fput+0xec/0x2b0\n[\u003c0\u003e] task_work_run+0x55/0x90\n[\u003c0\u003e] syscall_exit_to_user_mode+0xe9/0x100\n[\u003c0\u003e] do_syscall_64+0x43/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe fuseblk server is fuse2fs so there\u0027s nothing all that exciting in\nthe server itself. So why is the fuse server calling fuse_file_put?\nThe commit message for the fstest sheds some light on that:\n\n\"By closing the file descriptor before calling io_destroy, you pretty\nmuch guarantee that the last put on the ioctx will be done in interrupt\ncontext (during I/O completion).\n\nAha. AIO fgets a new struct file from the fd when it queues the ioctx.\nThe completion of the FUSE_WRITE command from userspace causes the fuse\nserver to call the AIO completion function. The completion puts the\nstruct file, queuing a delayed fput to the fuse server task. When the\nfuse server task returns to userspace, it has to run the delayed fput,\nwhich in the case of a fuseblk server, it does synchronously.\n\nSending the FUSE_RELEASE command sychronously from fuse server threads\nis a bad idea because a client program can initiate enough simultaneous\nAIOs such that all the fuse server threads end up in delayed_fput, and\nnow there aren\u0027t any threads left to handle the queued fuse commands.\n\nFix this by only using asynchronous fputs when closing files, and leave\na comment explaining why."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T14:50:44.108Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948"
},
{
"url": "https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35"
},
{
"url": "https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a"
},
{
"url": "https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e"
},
{
"url": "https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a"
},
{
"url": "https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049"
},
{
"url": "https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01"
}
],
"title": "fuse: fix livelock in synchronous file put from fuseblk workers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40220",
"datePublished": "2025-12-04T14:50:44.108Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T14:50:44.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71087 (GCVE-0-2025-71087)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: fix off-by-one issues in iavf_config_rss_reg()
There are off-by-one bugs when configuring RSS hash key and lookup
table, causing out-of-bounds reads to memory [1] and out-of-bounds
writes to device registers.
Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
the loop upper bounds were:
i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
which is safe since the value is the last valid index.
That commit changed the bounds to:
i <= adapter->rss_{key,lut}_size / 4
where `rss_{key,lut}_size / 4` is the number of dwords, so the last
valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
accesses one element past the end.
Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
the bounds.
[1] KASAN splat about rss_key_size off-by-one
BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: iavf iavf_watchdog_task
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xb0
print_report+0x170/0x4f3
kasan_report+0xe1/0x1a0
iavf_config_rss+0x619/0x800
iavf_watchdog_task+0x2be7/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 63:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x246/0x6f0
iavf_watchdog_task+0x28fc/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff888102c50100
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
allocated 52-byte region [ffff888102c50100, ffff888102c50134)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
^
ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 43a3d9ba34c9ca313573201d3f45de5ab3494cec Version: 43a3d9ba34c9ca313573201d3f45de5ab3494cec Version: 43a3d9ba34c9ca313573201d3f45de5ab3494cec Version: 43a3d9ba34c9ca313573201d3f45de5ab3494cec Version: 43a3d9ba34c9ca313573201d3f45de5ab3494cec Version: 43a3d9ba34c9ca313573201d3f45de5ab3494cec Version: 43a3d9ba34c9ca313573201d3f45de5ab3494cec |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ceb8459df28d22c225a82d74c0f725f2a935d194",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "5bb18bfd505ca1affbca921462c350095a6c798c",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "d7369dc8dd7cbf5cee3a22610028d847b6f02982",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "18de0e41d69d97fab10b91fecf10ae78a5e43232",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "f36de3045d006e6d9be1be495f2ed88d1721e752",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "3095228e1320371e143835d0cebeef1a8a754c66",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "6daa2893f323981c7894c68440823326e93a7d61",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix off-by-one issues in iavf_config_rss_reg()\n\nThere are off-by-one bugs when configuring RSS hash key and lookup\ntable, causing out-of-bounds reads to memory [1] and out-of-bounds\nwrites to device registers.\n\nBefore commit 43a3d9ba34c9 (\"i40evf: Allow PF driver to configure RSS\"),\nthe loop upper bounds were:\n i \u003c= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX\nwhich is safe since the value is the last valid index.\n\nThat commit changed the bounds to:\n i \u003c= adapter-\u003erss_{key,lut}_size / 4\nwhere `rss_{key,lut}_size / 4` is the number of dwords, so the last\nvalid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `\u003c=`\naccesses one element past the end.\n\nFix the issues by using `\u003c` instead of `\u003c=`, ensuring we do not exceed\nthe bounds.\n\n[1] KASAN splat about rss_key_size off-by-one\n BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800\n Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63\n\n CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Workqueue: iavf iavf_watchdog_task\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xb0\n print_report+0x170/0x4f3\n kasan_report+0xe1/0x1a0\n iavf_config_rss+0x619/0x800\n iavf_watchdog_task+0x2be7/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\n Allocated by task 63:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x246/0x6f0\n iavf_watchdog_task+0x28fc/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n\n The buggy address belongs to the object at ffff888102c50100\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes to the right of\n allocated 52-byte region [ffff888102c50100, ffff888102c50134)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50\n flags: 0x200000000000000(node=0|zone=2)\n page_type: f5(slab)\n raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n \u003effff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc\n ^\n ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc\n ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:38.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194"
},
{
"url": "https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c"
},
{
"url": "https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982"
},
{
"url": "https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232"
},
{
"url": "https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752"
},
{
"url": "https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66"
},
{
"url": "https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61"
}
],
"title": "iavf: fix off-by-one issues in iavf_config_rss_reg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71087",
"datePublished": "2026-01-13T15:34:49.691Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:38.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71084 (GCVE-0-2025-71084)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cm: Fix leaking the multicast GID table reference
If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Destroy the ah_attr after canceling the work, it is safe to call this
twice.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 60d613b39e8d0c9f3b526e9c96445422b4562d76 Version: fe454dc31e84f8c14cb8942fcb61666c9f40745b Version: fe454dc31e84f8c14cb8942fcb61666c9f40745b Version: fe454dc31e84f8c14cb8942fcb61666c9f40745b Version: fe454dc31e84f8c14cb8942fcb61666c9f40745b Version: fe454dc31e84f8c14cb8942fcb61666c9f40745b Version: fe454dc31e84f8c14cb8942fcb61666c9f40745b Version: a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5ce588a9552878859a4d44b70b724216c188a5f",
"status": "affected",
"version": "60d613b39e8d0c9f3b526e9c96445422b4562d76",
"versionType": "git"
},
{
"lessThan": "abf38398724ecc888f62c678d288da40d11878af",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "ab668a58c4a2ccb6d54add7a76f2f955d15d0196",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "c0acdee513239e1d6e1b490f56be0e6837dfd162",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "57f3cb6c84159d12ba343574df2115fb18dd83ca",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"status": "affected",
"version": "a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cm: Fix leaking the multicast GID table reference\n\nIf the CM ID is destroyed while the CM event for multicast creating is\nstill queued the cancel_work_sync() will prevent the work from running\nwhich also prevents destroying the ah_attr. This leaks a refcount and\ntriggers a WARN:\n\n GID entry ref leak for dev syz1 index 2 ref=573\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886\n\nDestroy the ah_attr after canceling the work, it is safe to call this\ntwice."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:35.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f"
},
{
"url": "https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af"
},
{
"url": "https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196"
},
{
"url": "https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162"
},
{
"url": "https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3"
},
{
"url": "https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5"
},
{
"url": "https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca"
}
],
"title": "RDMA/cm: Fix leaking the multicast GID table reference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71084",
"datePublished": "2026-01-13T15:34:47.665Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:35.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39876 (GCVE-0-2025-39876)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
The function of_phy_find_device may return NULL, so we need to take
care before dereferencing phy_dev.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9e70485b40c8306298adea8bdc867ca27f88955a Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: 64a632da538a6827fad0ea461925cedb9899ebe2 Version: c068e505f229ca5f778f825f1401817ce818e917 Version: 8a6ab151443cd71e2aa5e8b7014e3453dbd51935 Version: ce88b5f42868ef4964c497d4dfcd25e88fd60c5b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:21.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c60d12bba14dc655d2d948b1dbf390b3ae39cb8",
"status": "affected",
"version": "9e70485b40c8306298adea8bdc867ca27f88955a",
"versionType": "git"
},
{
"lessThan": "20a3433d31c2d2bf70ab0abec75f3136b42ae66c",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "5f1bb554a131e59b28482abad21f691390651752",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "fe78891f296ac05bf4e5295c9829ef822f3c32e7",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "eb148d85e126c47d65be34f2a465d69432ca5541",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"lessThan": "03e79de4608bdd48ad6eec272e196124cefaf798",
"status": "affected",
"version": "64a632da538a6827fad0ea461925cedb9899ebe2",
"versionType": "git"
},
{
"status": "affected",
"version": "c068e505f229ca5f778f825f1401817ce818e917",
"versionType": "git"
},
{
"status": "affected",
"version": "8a6ab151443cd71e2aa5e8b7014e3453dbd51935",
"versionType": "git"
},
{
"status": "affected",
"version": "ce88b5f42868ef4964c497d4dfcd25e88fd60c5b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()\n\nThe function of_phy_find_device may return NULL, so we need to take\ncare before dereferencing phy_dev."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:16.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c60d12bba14dc655d2d948b1dbf390b3ae39cb8"
},
{
"url": "https://git.kernel.org/stable/c/20a3433d31c2d2bf70ab0abec75f3136b42ae66c"
},
{
"url": "https://git.kernel.org/stable/c/93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f"
},
{
"url": "https://git.kernel.org/stable/c/5f1bb554a131e59b28482abad21f691390651752"
},
{
"url": "https://git.kernel.org/stable/c/fe78891f296ac05bf4e5295c9829ef822f3c32e7"
},
{
"url": "https://git.kernel.org/stable/c/4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5"
},
{
"url": "https://git.kernel.org/stable/c/eb148d85e126c47d65be34f2a465d69432ca5541"
},
{
"url": "https://git.kernel.org/stable/c/03e79de4608bdd48ad6eec272e196124cefaf798"
}
],
"title": "net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39876",
"datePublished": "2025-09-23T06:00:47.731Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:21.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71069 (GCVE-0-2025-71069)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: invalidate dentry cache on failed whiteout creation
F2FS can mount filesystems with corrupted directory depth values that
get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
operations are performed on such directories, f2fs_rename performs
directory modifications (updating target entry and deleting source
entry) before attempting to add the whiteout entry via f2fs_add_link.
If f2fs_add_link fails due to the corrupted directory structure, the
function returns an error to VFS, but the partial directory
modifications have already been committed to disk. VFS assumes the
entire rename operation failed and does not update the dentry cache,
leaving stale mappings.
In the error path, VFS does not call d_move() to update the dentry
cache. This results in new_dentry still pointing to the old inode
(new_inode) which has already had its i_nlink decremented to zero.
The stale cache causes subsequent operations to incorrectly reference
the freed inode.
This causes subsequent operations to use cached dentry information that
no longer matches the on-disk state. When a second rename targets the
same entry, VFS attempts to decrement i_nlink on the stale inode, which
may already have i_nlink=0, triggering a WARNING in drop_nlink().
Example sequence:
1. First rename (RENAME_WHITEOUT): file2 → file1
- f2fs updates file1 entry on disk (points to inode 8)
- f2fs deletes file2 entry on disk
- f2fs_add_link(whiteout) fails (corrupted directory)
- Returns error to VFS
- VFS does not call d_move() due to error
- VFS cache still has: file1 → inode 7 (stale!)
- inode 7 has i_nlink=0 (already decremented)
2. Second rename: file3 → file1
- VFS uses stale cache: file1 → inode 7
- Tries to drop_nlink on inode 7 (i_nlink already 0)
- WARNING in drop_nlink()
Fix this by explicitly invalidating old_dentry and new_dentry when
f2fs_add_link fails during whiteout creation. This forces VFS to
refresh from disk on subsequent operations, ensuring cache consistency
even when the rename partially succeeds.
Reproducer:
1. Mount F2FS image with corrupted i_current_depth
2. renameat2(file2, file1, RENAME_WHITEOUT)
3. renameat2(file3, file1, 0)
4. System triggers WARNING in drop_nlink()
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 Version: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 Version: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 Version: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 Version: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 Version: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 Version: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f2bae0c881aa1e0a6318756df692cc13df2cc83",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "3d95ed8cf980fdfa67a3ab9491357521ae576168",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "c89845fae250efdd59c1d4ec60e9e1c652cee4b6",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "0dde30753c1e8648665dbe069d814e540ce2fd37",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "d33f89b34aa313f50f9a512d58dd288999f246b0",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: invalidate dentry cache on failed whiteout creation\n\nF2FS can mount filesystems with corrupted directory depth values that\nget runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT\noperations are performed on such directories, f2fs_rename performs\ndirectory modifications (updating target entry and deleting source\nentry) before attempting to add the whiteout entry via f2fs_add_link.\n\nIf f2fs_add_link fails due to the corrupted directory structure, the\nfunction returns an error to VFS, but the partial directory\nmodifications have already been committed to disk. VFS assumes the\nentire rename operation failed and does not update the dentry cache,\nleaving stale mappings.\n\nIn the error path, VFS does not call d_move() to update the dentry\ncache. This results in new_dentry still pointing to the old inode\n(new_inode) which has already had its i_nlink decremented to zero.\nThe stale cache causes subsequent operations to incorrectly reference\nthe freed inode.\n\nThis causes subsequent operations to use cached dentry information that\nno longer matches the on-disk state. When a second rename targets the\nsame entry, VFS attempts to decrement i_nlink on the stale inode, which\nmay already have i_nlink=0, triggering a WARNING in drop_nlink().\n\nExample sequence:\n1. First rename (RENAME_WHITEOUT): file2 \u2192 file1\n - f2fs updates file1 entry on disk (points to inode 8)\n - f2fs deletes file2 entry on disk\n - f2fs_add_link(whiteout) fails (corrupted directory)\n - Returns error to VFS\n - VFS does not call d_move() due to error\n - VFS cache still has: file1 \u2192 inode 7 (stale!)\n - inode 7 has i_nlink=0 (already decremented)\n\n2. Second rename: file3 \u2192 file1\n - VFS uses stale cache: file1 \u2192 inode 7\n - Tries to drop_nlink on inode 7 (i_nlink already 0)\n - WARNING in drop_nlink()\n\nFix this by explicitly invalidating old_dentry and new_dentry when\nf2fs_add_link fails during whiteout creation. This forces VFS to\nrefresh from disk on subsequent operations, ensuring cache consistency\neven when the rename partially succeeds.\n\nReproducer:\n1. Mount F2FS image with corrupted i_current_depth\n2. renameat2(file2, file1, RENAME_WHITEOUT)\n3. renameat2(file3, file1, 0)\n4. System triggers WARNING in drop_nlink()"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:19.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83"
},
{
"url": "https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168"
},
{
"url": "https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb"
},
{
"url": "https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5"
},
{
"url": "https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6"
},
{
"url": "https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37"
},
{
"url": "https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0"
}
],
"title": "f2fs: invalidate dentry cache on failed whiteout creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71069",
"datePublished": "2026-01-13T15:31:23.948Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:19.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23099 (GCVE-0-2026-23099)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: limit BOND_MODE_8023AD to Ethernet devices
BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
syzbot reported:
BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
__hw_addr_create net/core/dev_addr_lists.c:63 [inline]
__hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
__dev_mc_add net/core/dev_addr_lists.c:868 [inline]
dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
rtnl_changelink net/core/rtnetlink.c:3776 [inline]
__rtnl_newlink net/core/rtnetlink.c:3935 [inline]
rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x820 net/socket.c:2592
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
__sys_sendmsg+0x164/0x220 net/socket.c:2678
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
</TASK>
The buggy address belongs to the variable:
lacpdu_mcast_addr+0x0/0x40
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 872254dd6b1f80cb95ee9e2e22980888533fc293 Version: 872254dd6b1f80cb95ee9e2e22980888533fc293 Version: 872254dd6b1f80cb95ee9e2e22980888533fc293 Version: 872254dd6b1f80cb95ee9e2e22980888533fc293 Version: 872254dd6b1f80cb95ee9e2e22980888533fc293 Version: 872254dd6b1f80cb95ee9e2e22980888533fc293 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "5063b2cd9b27d35ab788d707d7858ded0acc8f1d",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "ef68afb1bee8d35a18896c27d7358079353d8d8a",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "43dee6f7ef1d228821de1b61c292af3744c8d7da",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: limit BOND_MODE_8023AD to Ethernet devices\n\nBOND_MODE_8023AD makes sense for ARPHRD_ETHER only.\n\nsyzbot reported:\n\n BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\nRead of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497\n\nCPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\n __dev_mc_add net/core/dev_addr_lists.c:868 [inline]\n dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886\n bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180\n do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963\n do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165\n rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072\n rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n ____sys_sendmsg+0x505/0x820 net/socket.c:2592\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646\n __sys_sendmsg+0x164/0x220 net/socket.c:2678\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307\n do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n \u003c/TASK\u003e\n\nThe buggy address belongs to the variable:\n lacpdu_mcast_addr+0x0/0x40"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:39.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4"
},
{
"url": "https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d"
},
{
"url": "https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d"
},
{
"url": "https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a"
},
{
"url": "https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da"
},
{
"url": "https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6"
}
],
"title": "bonding: limit BOND_MODE_8023AD to Ethernet devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23099",
"datePublished": "2026-02-04T16:08:21.601Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-02-09T08:38:39.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23409 (GCVE-0-2026-23409)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix differential encoding verification
Differential encoding allows loops to be created if it is abused. To
prevent this the unpack should verify that a diff-encode chain
terminates.
Unfortunately the differential encode verification had two bugs.
1. it conflated states that had gone through check and already been
marked, with states that were currently being checked and marked.
This means that loops in the current chain being verified are treated
as a chain that has already been verified.
2. the order bailout on already checked states compared current chain
check iterators j,k instead of using the outer loop iterator i.
Meaning a step backwards in states in the current chain verification
was being mistaken for moving to an already verified state.
Move to a double mark scheme where already verified states get a
different mark, than the current chain being kept. This enables us
to also drop the backwards verification check that was the cause of
the second error as any already verified state is already marked.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/match.h",
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff7c73744fafe944ed9a7b2b7cf6c8d5557a3d84",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "1439150cd3c411228b387ab5efca92199d2a659a",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "0fab44285445e9012674396d5c1236a67da518e0",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "f90e3ecd9e1ed69f1a370f866ceed1f104f3ab4a",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "34fc60b125ed1d4eb002c76b0664bf0619492167",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "623a9d211bbbb031bb1cbdb38b23487648167f8a",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "1ff4857fac56ac5a90ee63b24db05fa5e91a45aa",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "39440b137546a3aa383cfdabc605fb73811b6093",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/match.h",
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix differential encoding verification\n\nDifferential encoding allows loops to be created if it is abused. To\nprevent this the unpack should verify that a diff-encode chain\nterminates.\n\nUnfortunately the differential encode verification had two bugs.\n\n1. it conflated states that had gone through check and already been\n marked, with states that were currently being checked and marked.\n This means that loops in the current chain being verified are treated\n as a chain that has already been verified.\n\n2. the order bailout on already checked states compared current chain\n check iterators j,k instead of using the outer loop iterator i.\n Meaning a step backwards in states in the current chain verification\n was being mistaken for moving to an already verified state.\n\nMove to a double mark scheme where already verified states get a\ndifferent mark, than the current chain being kept. This enables us\nto also drop the backwards verification check that was the cause of\nthe second error as any already verified state is already marked."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:44.586Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff7c73744fafe944ed9a7b2b7cf6c8d5557a3d84"
},
{
"url": "https://git.kernel.org/stable/c/1439150cd3c411228b387ab5efca92199d2a659a"
},
{
"url": "https://git.kernel.org/stable/c/0fab44285445e9012674396d5c1236a67da518e0"
},
{
"url": "https://git.kernel.org/stable/c/f90e3ecd9e1ed69f1a370f866ceed1f104f3ab4a"
},
{
"url": "https://git.kernel.org/stable/c/34fc60b125ed1d4eb002c76b0664bf0619492167"
},
{
"url": "https://git.kernel.org/stable/c/623a9d211bbbb031bb1cbdb38b23487648167f8a"
},
{
"url": "https://git.kernel.org/stable/c/1ff4857fac56ac5a90ee63b24db05fa5e91a45aa"
},
{
"url": "https://git.kernel.org/stable/c/39440b137546a3aa383cfdabc605fb73811b6093"
}
],
"title": "apparmor: fix differential encoding verification",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23409",
"datePublished": "2026-04-01T08:36:38.516Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-18T08:58:44.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71073 (GCVE-0-2025-71073)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: lkkbd - disable pending work before freeing device
lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
handler lkkbd_reinit() dereferences the lkkbd structure and its
serio/input_dev fields.
lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
structure without preventing the reinit work from being queued again
until serio_close() returns. This can allow the work handler to run
after the structure has been freed, leading to a potential use-after-free.
Use disable_work_sync() instead of cancel_work_sync() to ensure the
reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
and in lkkbd_connect() error paths after serio_open().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/lkkbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a7cd1397c209076c371d53bf39a55c138f62342",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cffc4e29b1e2d44ab094cf142d7c461ff09b9104",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/lkkbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: lkkbd - disable pending work before freeing device\n\nlkkbd_interrupt() schedules lk-\u003etq via schedule_work(), and the work\nhandler lkkbd_reinit() dereferences the lkkbd structure and its\nserio/input_dev fields.\n\nlkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd\nstructure without preventing the reinit work from being queued again\nuntil serio_close() returns. This can allow the work handler to run\nafter the structure has been freed, leading to a potential use-after-free.\n\nUse disable_work_sync() instead of cancel_work_sync() to ensure the\nreinit work cannot be re-queued, and call it both in lkkbd_disconnect()\nand in lkkbd_connect() error paths after serio_open()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:23.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a7cd1397c209076c371d53bf39a55c138f62342"
},
{
"url": "https://git.kernel.org/stable/c/cffc4e29b1e2d44ab094cf142d7c461ff09b9104"
},
{
"url": "https://git.kernel.org/stable/c/e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c"
}
],
"title": "Input: lkkbd - disable pending work before freeing device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71073",
"datePublished": "2026-01-13T15:31:26.771Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:23.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38125 (GCVE-0-2025-38125)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: make sure that ptp_rate is not 0 before configuring EST
If the ptp_rate recorded earlier in the driver happens to be 0, this
bogus value will propagate up to EST configuration, where it will
trigger a division by 0.
Prevent this division by 0 by adding the corresponding check and error
code.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b Version: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b Version: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b Version: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b Version: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b Version: 8572aec3d0dc43045254fd1bf581fb980bfdbc4b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_est.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b15c9a21950e1af6d440ce5a8edfa8a94b9acb9b",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
},
{
"lessThan": "d6b0f7ed3e9b6c5e2e3a006c8f72c95aa4ac4b74",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
},
{
"lessThan": "b92ec4a848728460f181def33735605f154d438f",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
},
{
"lessThan": "451ee661d0f6272017fa012f99617101aa8ddf2c",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
},
{
"lessThan": "d5e3bfdba0dc419499b801937128957f77503761",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
},
{
"lessThan": "cbefe2ffa7784525ec5d008ba87c7add19ec631a",
"status": "affected",
"version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_est.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring EST\n\nIf the ptp_rate recorded earlier in the driver happens to be 0, this\nbogus value will propagate up to EST configuration, where it will\ntrigger a division by 0.\n\nPrevent this division by 0 by adding the corresponding check and error\ncode."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:15.342Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b15c9a21950e1af6d440ce5a8edfa8a94b9acb9b"
},
{
"url": "https://git.kernel.org/stable/c/d6b0f7ed3e9b6c5e2e3a006c8f72c95aa4ac4b74"
},
{
"url": "https://git.kernel.org/stable/c/b92ec4a848728460f181def33735605f154d438f"
},
{
"url": "https://git.kernel.org/stable/c/451ee661d0f6272017fa012f99617101aa8ddf2c"
},
{
"url": "https://git.kernel.org/stable/c/d5e3bfdba0dc419499b801937128957f77503761"
},
{
"url": "https://git.kernel.org/stable/c/cbefe2ffa7784525ec5d008ba87c7add19ec631a"
}
],
"title": "net: stmmac: make sure that ptp_rate is not 0 before configuring EST",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38125",
"datePublished": "2025-07-03T08:35:31.176Z",
"dateReserved": "2025-04-16T04:51:23.986Z",
"dateUpdated": "2026-02-06T16:31:15.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68354 (GCVE-0-2025-68354)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
regulator_supply_alias_list was accessed without any locking in
regulator_supply_alias(), regulator_register_supply_alias(), and
regulator_unregister_supply_alias(). Concurrent registration,
unregistration and lookups can race, leading to:
1 use-after-free if an alias entry is removed while being read,
2 duplicate entries when two threads register the same alias,
3 inconsistent alias mappings observed by consumers.
Protect all traversals, insertions and deletions on
regulator_supply_alias_list with the existing regulator_list_mutex.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a06ccd9c3785fa5550917ae036944f4e080b5749 Version: a06ccd9c3785fa5550917ae036944f4e080b5749 Version: a06ccd9c3785fa5550917ae036944f4e080b5749 Version: a06ccd9c3785fa5550917ae036944f4e080b5749 Version: a06ccd9c3785fa5550917ae036944f4e080b5749 Version: a06ccd9c3785fa5550917ae036944f4e080b5749 Version: a06ccd9c3785fa5550917ae036944f4e080b5749 Version: a06ccd9c3785fa5550917ae036944f4e080b5749 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1587064137028e7edcca14fb766b68d27bec94b",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "9d041a7ba13f21adfac052eb3fda1df62f2166c1",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "09811a83b214cc15521e0d818e43ae9043e9a28d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a9864d42ebcdd394ebb864643b961b36e7b515be",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "431a1d44ad4866362cc28fc1cc4ca93d84989239",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Protect regulator_supply_alias_list with regulator_list_mutex\n\nregulator_supply_alias_list was accessed without any locking in\nregulator_supply_alias(), regulator_register_supply_alias(), and\nregulator_unregister_supply_alias(). Concurrent registration,\nunregistration and lookups can race, leading to:\n\n1 use-after-free if an alias entry is removed while being read,\n2 duplicate entries when two threads register the same alias,\n3 inconsistent alias mappings observed by consumers.\n\nProtect all traversals, insertions and deletions on\nregulator_supply_alias_list with the existing regulator_list_mutex."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:49.898Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1587064137028e7edcca14fb766b68d27bec94b"
},
{
"url": "https://git.kernel.org/stable/c/9d041a7ba13f21adfac052eb3fda1df62f2166c1"
},
{
"url": "https://git.kernel.org/stable/c/a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61"
},
{
"url": "https://git.kernel.org/stable/c/09811a83b214cc15521e0d818e43ae9043e9a28d"
},
{
"url": "https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be"
},
{
"url": "https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239"
},
{
"url": "https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf"
},
{
"url": "https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d"
}
],
"title": "regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68354",
"datePublished": "2025-12-24T10:32:44.840Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-02-09T08:31:49.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68795 (GCVE-0-2025-68795)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ethtool: Avoid overflowing userspace buffer on stats query
The ethtool -S command operates across three ioctl calls:
ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and
ETHTOOL_GSTATS for the values.
If the number of stats changes between these calls (e.g., due to device
reconfiguration), userspace's buffer allocation will be incorrect,
potentially leading to buffer overflow.
Drivers are generally expected to maintain stable stat counts, but some
drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making
this scenario possible.
Some drivers try to handle this internally:
- bnad_get_ethtool_stats() returns early in case stats.n_stats is not
equal to the driver's stats count.
- micrel/ksz884x also makes sure not to write anything beyond
stats.n_stats and overflow the buffer.
However, both use stats.n_stats which is already assigned with the value
returned from get_sset_count(), hence won't solve the issue described
here.
Change ethtool_get_strings(), ethtool_get_stats(),
ethtool_get_phy_stats() to not return anything in case of a mismatch
between userspace's size and get_sset_size(), to prevent buffer
overflow.
The returned n_stats value will be equal to zero, to reflect that
nothing has been returned.
This could result in one of two cases when using upstream ethtool,
depending on when the size change is detected:
1. When detected in ethtool_get_strings():
# ethtool -S eth2
no stats available
2. When detected in get stats, all stats will be reported as zero.
Both cases are presumably transient, and a subsequent ethtool call
should succeed.
Other than the overflow avoidance, these two cases are very evident (no
output/cleared stats), which is arguably better than presenting
incorrect/shifted stats.
I also considered returning an error instead of a "silent" response, but
that seems more destructive towards userspace apps.
Notes:
- This patch does not claim to fix the inherent race, it only makes sure
that we do not overflow the userspace buffer, and makes for a more
predictable behavior.
- RTNL lock is held during each ioctl, the race window exists between
the separate ioctl calls when the lock is released.
- Userspace ethtool always fills stats.n_stats, but it is likely that
these stats ioctls are implemented in other userspace applications
which might not fill it. The added code checks that it's not zero,
to prevent any regressions.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3df375a1e75483b7d973c3cc2e46aa374db8428b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4afcb985355210e1688560dc47e64b94dad35d71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ca9983bc3a1189bd72f9ae449d925a66b2616326",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bea09f60f2ad5d232e2db8f1c14e850fd3fd416",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4066b5b546293f44cd6d0e84ece6e3ee7ff27093",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7b07be1ff1cb6c49869910518650e8d0abc7d25f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: Avoid overflowing userspace buffer on stats query\n\nThe ethtool -S command operates across three ioctl calls:\nETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and\nETHTOOL_GSTATS for the values.\n\nIf the number of stats changes between these calls (e.g., due to device\nreconfiguration), userspace\u0027s buffer allocation will be incorrect,\npotentially leading to buffer overflow.\n\nDrivers are generally expected to maintain stable stat counts, but some\ndrivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making\nthis scenario possible.\n\nSome drivers try to handle this internally:\n- bnad_get_ethtool_stats() returns early in case stats.n_stats is not\n equal to the driver\u0027s stats count.\n- micrel/ksz884x also makes sure not to write anything beyond\n stats.n_stats and overflow the buffer.\n\nHowever, both use stats.n_stats which is already assigned with the value\nreturned from get_sset_count(), hence won\u0027t solve the issue described\nhere.\n\nChange ethtool_get_strings(), ethtool_get_stats(),\nethtool_get_phy_stats() to not return anything in case of a mismatch\nbetween userspace\u0027s size and get_sset_size(), to prevent buffer\noverflow.\nThe returned n_stats value will be equal to zero, to reflect that\nnothing has been returned.\n\nThis could result in one of two cases when using upstream ethtool,\ndepending on when the size change is detected:\n1. When detected in ethtool_get_strings():\n # ethtool -S eth2\n no stats available\n\n2. When detected in get stats, all stats will be reported as zero.\n\nBoth cases are presumably transient, and a subsequent ethtool call\nshould succeed.\n\nOther than the overflow avoidance, these two cases are very evident (no\noutput/cleared stats), which is arguably better than presenting\nincorrect/shifted stats.\nI also considered returning an error instead of a \"silent\" response, but\nthat seems more destructive towards userspace apps.\n\nNotes:\n- This patch does not claim to fix the inherent race, it only makes sure\n that we do not overflow the userspace buffer, and makes for a more\n predictable behavior.\n\n- RTNL lock is held during each ioctl, the race window exists between\n the separate ioctl calls when the lock is released.\n\n- Userspace ethtool always fills stats.n_stats, but it is likely that\n these stats ioctls are implemented in other userspace applications\n which might not fill it. The added code checks that it\u0027s not zero,\n to prevent any regressions."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:42.945Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b"
},
{
"url": "https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5"
},
{
"url": "https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71"
},
{
"url": "https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326"
},
{
"url": "https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416"
},
{
"url": "https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093"
},
{
"url": "https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f"
}
],
"title": "ethtool: Avoid overflowing userspace buffer on stats query",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68795",
"datePublished": "2026-01-13T15:29:06.217Z",
"dateReserved": "2025-12-24T10:30:51.041Z",
"dateUpdated": "2026-02-09T08:33:42.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68286 (GCVE-0-2025-68286)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-20 08:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check NULL before accessing
[WHAT]
IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic
fails with NULL pointer dereference. This can be reproduced with
both an eDP panel and a DP monitors connected.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted
6.16.0-99-custom #8 PREEMPT(voluntary)
Hardware name: AMD ........
RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]
Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49
89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30
c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02
RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668
RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000
RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760
R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000
R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c
FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]
amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]
? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]
amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]
drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400
drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30
drm_crtc_get_last_vbltimestamp+0x55/0x90
drm_crtc_next_vblank_start+0x45/0xa0
drm_atomic_helper_wait_for_fences+0x81/0x1f0
...
(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c Version: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "781f2f32e9c19eb791b52af283c96f9a9677a7f2",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "09092269cb762378ca8b56024746b1a136761e0d",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "109e9c92543f3105e8e1efd2c5e6b92ef55d5743",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "62150f1e7ec707da76ff353fb7db51fef9cd6557",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "3ce62c189693e8ed7b3abe551802bbc67f3ace54",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check NULL before accessing\n\n[WHAT]\nIGT kms_cursor_legacy\u0027s long-nonblocking-modeset-vs-cursor-atomic\nfails with NULL pointer dereference. This can be reproduced with\nboth an eDP panel and a DP monitors connected.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted\n6.16.0-99-custom #8 PREEMPT(voluntary)\n Hardware name: AMD ........\n RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]\n Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49\n 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30\n c2 \u003c48\u003e 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02\n RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668\n RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000\n RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760\n R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000\n R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c\n FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)\nknlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]\n amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]\n ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]\n amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]\n drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400\n drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30\n drm_crtc_get_last_vbltimestamp+0x55/0x90\n drm_crtc_next_vblank_start+0x45/0xa0\n drm_atomic_helper_wait_for_fences+0x81/0x1f0\n ...\n\n(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:20.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2"
},
{
"url": "https://git.kernel.org/stable/c/09092269cb762378ca8b56024746b1a136761e0d"
},
{
"url": "https://git.kernel.org/stable/c/109e9c92543f3105e8e1efd2c5e6b92ef55d5743"
},
{
"url": "https://git.kernel.org/stable/c/9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9"
},
{
"url": "https://git.kernel.org/stable/c/f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf"
},
{
"url": "https://git.kernel.org/stable/c/62150f1e7ec707da76ff353fb7db51fef9cd6557"
},
{
"url": "https://git.kernel.org/stable/c/3ce62c189693e8ed7b3abe551802bbc67f3ace54"
}
],
"title": "drm/amd/display: Check NULL before accessing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68286",
"datePublished": "2025-12-16T15:06:07.838Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-20T08:52:20.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68353 (GCVE-0-2025-68353)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: vxlan: prevent NULL deref in vxlan_xmit_one
Neither sock4 nor sock6 pointers are guaranteed to be non-NULL in
vxlan_xmit_one, e.g. if the iface is brought down. This can lead to the
following NULL dereference:
BUG: kernel NULL pointer dereference, address: 0000000000000010
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:vxlan_xmit_one+0xbb3/0x1580
Call Trace:
vxlan_xmit+0x429/0x610
dev_hard_start_xmit+0x55/0xa0
__dev_queue_xmit+0x6d0/0x7f0
ip_finish_output2+0x24b/0x590
ip_output+0x63/0x110
Mentioned commits changed the code path in vxlan_xmit_one and as a side
effect the sock4/6 pointer validity checks in vxlan(6)_get_route were
lost. Fix this by adding back checks.
Since both commits being fixed were released in the same version (v6.7)
and are strongly related, bundle the fixes in a single commit.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ac26aafdc8c7271414e2e7c0b2cb266a26591bc",
"status": "affected",
"version": "6f19b2c136d98a84d79030b53e23d405edfdc783",
"versionType": "git"
},
{
"lessThan": "1f73a56f986005f0bc64ed23873930e2ee4f5911",
"status": "affected",
"version": "6f19b2c136d98a84d79030b53e23d405edfdc783",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: prevent NULL deref in vxlan_xmit_one\n\nNeither sock4 nor sock6 pointers are guaranteed to be non-NULL in\nvxlan_xmit_one, e.g. if the iface is brought down. This can lead to the\nfollowing NULL dereference:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:vxlan_xmit_one+0xbb3/0x1580\n Call Trace:\n vxlan_xmit+0x429/0x610\n dev_hard_start_xmit+0x55/0xa0\n __dev_queue_xmit+0x6d0/0x7f0\n ip_finish_output2+0x24b/0x590\n ip_output+0x63/0x110\n\nMentioned commits changed the code path in vxlan_xmit_one and as a side\neffect the sock4/6 pointer validity checks in vxlan(6)_get_route were\nlost. Fix this by adding back checks.\n\nSince both commits being fixed were released in the same version (v6.7)\nand are strongly related, bundle the fixes in a single commit."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:48.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ac26aafdc8c7271414e2e7c0b2cb266a26591bc"
},
{
"url": "https://git.kernel.org/stable/c/1f73a56f986005f0bc64ed23873930e2ee4f5911"
}
],
"title": "net: vxlan: prevent NULL deref in vxlan_xmit_one",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68353",
"datePublished": "2025-12-24T10:32:44.068Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-02-09T08:31:48.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68782 (GCVE-0-2025-68782)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: Reset t_task_cdb pointer in error case
If allocation of cmd->t_task_cdb fails, it remains NULL but is later
dereferenced in the 'err' path.
In case of error, reset NULL t_task_cdb value to point at the default
fixed-size buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 Version: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 Version: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 Version: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 Version: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 Version: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 Version: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cac97b12bdab04832e0416d049efcd0d48d303b",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "45fd86b444105c8bd07a763f58635c87e5dc7aea",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "8727663ded659aad55eef21e3864ebf5a4796a96",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "0260ad551b0815eb788d47f32899fbcd65d6f128",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "0d36db68fdb8a3325386fd9523b67735f944e1f3",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "8edbb9e371af186b4cf40819dab65fafe109df4d",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "5053eab38a4c4543522d0c320c639c56a8b59908",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Reset t_task_cdb pointer in error case\n\nIf allocation of cmd-\u003et_task_cdb fails, it remains NULL but is later\ndereferenced in the \u0027err\u0027 path.\n\nIn case of error, reset NULL t_task_cdb value to point at the default\nfixed-size buffer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:28.650Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b"
},
{
"url": "https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea"
},
{
"url": "https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96"
},
{
"url": "https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128"
},
{
"url": "https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3"
},
{
"url": "https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d"
},
{
"url": "https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908"
}
],
"title": "scsi: target: Reset t_task_cdb pointer in error case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68782",
"datePublished": "2026-01-13T15:28:56.929Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:28.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68728 (GCVE-0-2025-68728)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Fix a KMSAN un-init bug found by syzkaller.
ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be
uptodate. We do not bring the buffer uptodate before setting it as
uptodate. If the buffer were to not be uptodate, it could mean adding a
buffer with un-init data to the mi record. Attempting to load that record
will trigger KMSAN.
Avoid this by setting the buffer as uptodate, if it’s not already, by
overwriting it.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 Version: 4342306f0f0d5ff4315a204d315c1b51b914fca5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fsntfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "afb144bc8e920db43a23e996eb0a6f9bdea84341",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "c70b3abfd530c7f574bc25a5f84707e6fdf0def8",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "8bf729b96303bb862d7c6dc05edcf51274ae04cf",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "7ce8f2028dfccb2161b905cf8ab85cdd9e93909c",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "46f2a881e5a7311d41551edb3915e4d4e8802341",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "81ffe9a265df3e41534726b852ab08792e3d374d",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
},
{
"lessThan": "73e6b9dacf72a1e7a4265eacca46f8f33e0997d6",
"status": "affected",
"version": "4342306f0f0d5ff4315a204d315c1b51b914fca5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/fsntfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: fix uninit memory after failed mi_read in mi_format_new\n\nFix a KMSAN un-init bug found by syzkaller.\n\nntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be\nuptodate. We do not bring the buffer uptodate before setting it as\nuptodate. If the buffer were to not be uptodate, it could mean adding a\nbuffer with un-init data to the mi record. Attempting to load that record\nwill trigger KMSAN.\n\nAvoid this by setting the buffer as uptodate, if it\u2019s not already, by\noverwriting it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:24.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/afb144bc8e920db43a23e996eb0a6f9bdea84341"
},
{
"url": "https://git.kernel.org/stable/c/c70b3abfd530c7f574bc25a5f84707e6fdf0def8"
},
{
"url": "https://git.kernel.org/stable/c/8bf729b96303bb862d7c6dc05edcf51274ae04cf"
},
{
"url": "https://git.kernel.org/stable/c/7ce8f2028dfccb2161b905cf8ab85cdd9e93909c"
},
{
"url": "https://git.kernel.org/stable/c/46f2a881e5a7311d41551edb3915e4d4e8802341"
},
{
"url": "https://git.kernel.org/stable/c/81ffe9a265df3e41534726b852ab08792e3d374d"
},
{
"url": "https://git.kernel.org/stable/c/73e6b9dacf72a1e7a4265eacca46f8f33e0997d6"
}
],
"title": "ntfs3: fix uninit memory after failed mi_read in mi_format_new",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68728",
"datePublished": "2025-12-24T10:33:11.847Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:24.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71095 (GCVE-0-2025-71095)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix the crash issue for zero copy XDP_TX action
There is a crash issue when running zero copy XDP_TX action, the crash
log is shown below.
[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
[ 216.301694] Call trace:
[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
[ 216.326576] __napi_poll+0x40/0x218
[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
For XDP_TX action, the xdp_buff is converted to xdp_frame by
xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
depends on the memory type of the xdp_buff. For page pool based xdp_buff
it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
XSK pool based xdp_buff it produces xdp_frame with memory type
MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
memory type and always uses the page pool type, this leads to invalid
mappings and causes the crash. Therefore, check the xdp_buff memory type
in stmmac_xdp_xmit_back() to fix this issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f7823219407f2f18044c2b72366a48810c5c821",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "4d0ceb7677e1c4616afb96abb4518f70b65abb0d",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "45ee0462b88396a0bd1df1991f801c89994ea72b",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "5e5988736a95b1de7f91b10ac2575454b70e4897",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "a48e232210009be50591fdea8ba7c07b0f566a13",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix the crash issue for zero copy XDP_TX action\n\nThere is a crash issue when running zero copy XDP_TX action, the crash\nlog is shown below.\n\n[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000\n[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP\n[ 216.301694] Call trace:\n[ 216.304130] dcache_clean_poc+0x20/0x38 (P)\n[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0\n[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400\n[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368\n[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00\n[ 216.326576] __napi_poll+0x40/0x218\n[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n\nFor XDP_TX action, the xdp_buff is converted to xdp_frame by\nxdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame\ndepends on the memory type of the xdp_buff. For page pool based xdp_buff\nit produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy\nXSK pool based xdp_buff it produces xdp_frame with memory type\nMEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the\nmemory type and always uses the page pool type, this leads to invalid\nmappings and causes the crash. Therefore, check the xdp_buff memory type\nin stmmac_xdp_xmit_back() to fix this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:47.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821"
},
{
"url": "https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d"
},
{
"url": "https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b"
},
{
"url": "https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897"
},
{
"url": "https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13"
}
],
"title": "net: stmmac: fix the crash issue for zero copy XDP_TX action",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71095",
"datePublished": "2026-01-13T15:34:55.392Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:47.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71108 (GCVE-0-2025-71108)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: Handle incorrect num_connectors capability
The UCSI spec states that the num_connectors field is 7 bits, and the
8th bit is reserved and should be set to zero.
Some buggy FW has been known to set this bit, and it can lead to a
system not booting.
Flag that the FW is not behaving correctly, and auto-fix the value
so that the system boots correctly.
Found on Lenovo P1 G8 during Linux enablement program. The FW will
be fixed, but seemed worth addressing in case it hit platforms that
aren't officially Linux supported.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f Version: c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07c8d2a109d847775b3b4e2c3294c8e1eea75432",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "58941bbb0050e365a98c64f1fc4a9a0ac127dba6",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "f72f97d0aee4a993a35f2496bca5efd24827235d",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "914605b0de8128434eafc9582445306830748b93",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "3042a57a8e8bce4a3100c3f6f03dc372aab24943",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "132fe187e0d940f388f839fe2cde9b84106ad20d",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
},
{
"lessThan": "30cd2cb1abf4c4acdb1ddb468c946f68939819fb",
"status": "affected",
"version": "c1b0bc2dabfa884dea49c02adaf3cd6b52b33d2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Handle incorrect num_connectors capability\n\nThe UCSI spec states that the num_connectors field is 7 bits, and the\n8th bit is reserved and should be set to zero.\nSome buggy FW has been known to set this bit, and it can lead to a\nsystem not booting.\nFlag that the FW is not behaving correctly, and auto-fix the value\nso that the system boots correctly.\n\nFound on Lenovo P1 G8 during Linux enablement program. The FW will\nbe fixed, but seemed worth addressing in case it hit platforms that\naren\u0027t officially Linux supported."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:02.075Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432"
},
{
"url": "https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6"
},
{
"url": "https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d"
},
{
"url": "https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93"
},
{
"url": "https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943"
},
{
"url": "https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d"
},
{
"url": "https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb"
}
],
"title": "usb: typec: ucsi: Handle incorrect num_connectors capability",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71108",
"datePublished": "2026-01-14T15:05:56.553Z",
"dateReserved": "2026-01-13T15:30:19.652Z",
"dateUpdated": "2026-02-09T08:35:02.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71107 (GCVE-0-2025-71107)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: ensure node page reads complete before f2fs_put_super() finishes
Xfstests generic/335, generic/336 sometimes crash with the following message:
F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1
------------[ cut here ]------------
kernel BUG at fs/f2fs/super.c:1939!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:f2fs_put_super+0x3b3/0x3c0
Call Trace:
<TASK>
generic_shutdown_super+0x7e/0x190
kill_block_super+0x1a/0x40
kill_f2fs_super+0x9d/0x190
deactivate_locked_super+0x30/0xb0
cleanup_mnt+0xba/0x150
task_work_run+0x5c/0xa0
exit_to_user_mode_loop+0xb7/0xc0
do_syscall_64+0x1ae/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
---[ end trace 0000000000000000 ]---
It appears that sometimes it is possible that f2fs_put_super() is called before
all node page reads are completed.
Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3031cf2b61f1508662fc95ef9ad505cb0882a5f",
"status": "affected",
"version": "20872584b8c0b006c007da9588a272c9e28d2e18",
"versionType": "git"
},
{
"lessThan": "3b15d5f12935e9e25f9a571e680716bc9ee61025",
"status": "affected",
"version": "20872584b8c0b006c007da9588a272c9e28d2e18",
"versionType": "git"
},
{
"lessThan": "0b36fae23621a09e772c8adf918b9011158f8511",
"status": "affected",
"version": "20872584b8c0b006c007da9588a272c9e28d2e18",
"versionType": "git"
},
{
"lessThan": "297baa4aa263ff8f5b3d246ee16a660d76aa82c4",
"status": "affected",
"version": "20872584b8c0b006c007da9588a272c9e28d2e18",
"versionType": "git"
},
{
"status": "affected",
"version": "0e2577074b459bba7f4016f4d725ede37d48bb22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: ensure node page reads complete before f2fs_put_super() finishes\n\nXfstests generic/335, generic/336 sometimes crash with the following message:\n\nF2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/super.c:1939!\nOops: invalid opcode: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:f2fs_put_super+0x3b3/0x3c0\nCall Trace:\n \u003cTASK\u003e\n generic_shutdown_super+0x7e/0x190\n kill_block_super+0x1a/0x40\n kill_f2fs_super+0x9d/0x190\n deactivate_locked_super+0x30/0xb0\n cleanup_mnt+0xba/0x150\n task_work_run+0x5c/0xa0\n exit_to_user_mode_loop+0xb7/0xc0\n do_syscall_64+0x1ae/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n---[ end trace 0000000000000000 ]---\n\nIt appears that sometimes it is possible that f2fs_put_super() is called before\nall node page reads are completed.\nAdding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:00.702Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f"
},
{
"url": "https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025"
},
{
"url": "https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511"
},
{
"url": "https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4"
}
],
"title": "f2fs: ensure node page reads complete before f2fs_put_super() finishes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71107",
"datePublished": "2026-01-14T15:05:55.878Z",
"dateReserved": "2026-01-13T15:30:19.652Z",
"dateUpdated": "2026-02-09T08:35:00.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-46777 (GCVE-0-2024-46777)
Vulnerability from cvelistv5
Published
2024-09-18 07:12
Modified
2026-01-05 10:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Avoid excessive partition lengths
Avoid mounting filesystems where the partition would overflow the
32-bits used for block number. Also refuse to mount filesystems where
the partition length is so large we cannot safely index bits in a
block bitmap.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:39:05.257297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T14:39:19.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:18:17.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0c23130d38e8bc28e9ef581443de9b1fc749966",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1497a4484cdb2cf6c37960d788fb6ba67567bdb7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "551966371e17912564bc387fbeb2ac13077c3db1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2ddf831451357c6da4b64645eb797c93c1c054d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0173999123082280cf904bd640015951f194a294",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a56330761950cb83de1dfb348479f20c56c95f90",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "925fd8ee80d5348a5e965548e5484d164d19221d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ebbe26fd54a9621994bc16b14f2ba8f84c089693",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.226",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.322",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.284",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.226",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.110",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid excessive partition lengths\n\nAvoid mounting filesystems where the partition would overflow the\n32-bits used for block number. Also refuse to mount filesystems where\nthe partition length is so large we cannot safely index bits in a\nblock bitmap."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:53:18.029Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0c23130d38e8bc28e9ef581443de9b1fc749966"
},
{
"url": "https://git.kernel.org/stable/c/1497a4484cdb2cf6c37960d788fb6ba67567bdb7"
},
{
"url": "https://git.kernel.org/stable/c/551966371e17912564bc387fbeb2ac13077c3db1"
},
{
"url": "https://git.kernel.org/stable/c/2ddf831451357c6da4b64645eb797c93c1c054d1"
},
{
"url": "https://git.kernel.org/stable/c/0173999123082280cf904bd640015951f194a294"
},
{
"url": "https://git.kernel.org/stable/c/a56330761950cb83de1dfb348479f20c56c95f90"
},
{
"url": "https://git.kernel.org/stable/c/925fd8ee80d5348a5e965548e5484d164d19221d"
},
{
"url": "https://git.kernel.org/stable/c/ebbe26fd54a9621994bc16b14f2ba8f84c089693"
}
],
"title": "udf: Avoid excessive partition lengths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46777",
"datePublished": "2024-09-18T07:12:34.315Z",
"dateReserved": "2024-09-11T15:12:18.275Z",
"dateUpdated": "2026-01-05T10:53:18.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68773 (GCVE-0-2025-68773)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
with even size") failed to make sure that the size is really even
before switching to 16 bit mode. Until recently the problem went
unnoticed because kernfs uses a pre-allocated bounce buffer of size
PAGE_SIZE for reading EEPROM.
But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
introduced an additional dynamically allocated bounce buffer whose size
is exactly the size of the transfer, leading to a buffer overrun in
the fsl-cpm driver when that size is odd.
Add the missing length parity verification and remain in 8 bit mode
when the length is not even.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 60afe299bb541a928ba39bcb4ae8d3e428d1c5a5 Version: 4badd33929c05ed314794b95f1af1308f7222be8 Version: 7f6738e003b364783f3019fdf6e7645bc8dd1643 Version: fc96ec826bced75cc6b9c07a4ac44bbf651337ab Version: fc96ec826bced75cc6b9c07a4ac44bbf651337ab Version: fc96ec826bced75cc6b9c07a4ac44bbf651337ab Version: fc96ec826bced75cc6b9c07a4ac44bbf651337ab Version: 42c04316d9275ec267d36e5e9064cd56c9884148 Version: dc120f2d35b030390a2bc0f94dd5f37e900cae91 Version: b558275c1b040f0e5aa56c862241f9212b6118c3 Version: b9d9e8856f1c83e4277403f9b4c369b322ebcb12 Version: 36a6d0f66c874666caf4e8be155b1be30f6231be |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8f1d35076b78df61ace737e41cc1f4b7b63236c",
"status": "affected",
"version": "60afe299bb541a928ba39bcb4ae8d3e428d1c5a5",
"versionType": "git"
},
{
"lessThan": "9c34a4a2ead00979d203a8c16bea87f0ef5291d8",
"status": "affected",
"version": "4badd33929c05ed314794b95f1af1308f7222be8",
"versionType": "git"
},
{
"lessThan": "837a23a11e0f734f096c7c7b0778d0e625e3dc87",
"status": "affected",
"version": "7f6738e003b364783f3019fdf6e7645bc8dd1643",
"versionType": "git"
},
{
"lessThan": "3dd6d01384823e1bd8602873153d6fc4337ac4fe",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "743cebcbd1b2609ec5057ab474979cef73d1b681",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "be0b613198e6bfa104ad520397cab82ad3ec1771",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "1417927df8049a0194933861e9b098669a95c762",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"status": "affected",
"version": "42c04316d9275ec267d36e5e9064cd56c9884148",
"versionType": "git"
},
{
"status": "affected",
"version": "dc120f2d35b030390a2bc0f94dd5f37e900cae91",
"versionType": "git"
},
{
"status": "affected",
"version": "b558275c1b040f0e5aa56c862241f9212b6118c3",
"versionType": "git"
},
{
"status": "affected",
"version": "b9d9e8856f1c83e4277403f9b4c369b322ebcb12",
"versionType": "git"
},
{
"status": "affected",
"version": "36a6d0f66c874666caf4e8be155b1be30f6231be",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-cpm: Check length parity before switching to 16 bit mode\n\nCommit fc96ec826bce (\"spi: fsl-cpm: Use 16 bit mode for large transfers\nwith even size\") failed to make sure that the size is really even\nbefore switching to 16 bit mode. Until recently the problem went\nunnoticed because kernfs uses a pre-allocated bounce buffer of size\nPAGE_SIZE for reading EEPROM.\n\nBut commit 8ad6249c51d0 (\"eeprom: at25: convert to spi-mem API\")\nintroduced an additional dynamically allocated bounce buffer whose size\nis exactly the size of the transfer, leading to a buffer overrun in\nthe fsl-cpm driver when that size is odd.\n\nAdd the missing length parity verification and remain in 8 bit mode\nwhen the length is not even."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:18.538Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8f1d35076b78df61ace737e41cc1f4b7b63236c"
},
{
"url": "https://git.kernel.org/stable/c/9c34a4a2ead00979d203a8c16bea87f0ef5291d8"
},
{
"url": "https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87"
},
{
"url": "https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe"
},
{
"url": "https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681"
},
{
"url": "https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771"
},
{
"url": "https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762"
}
],
"title": "spi: fsl-cpm: Check length parity before switching to 16 bit mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68773",
"datePublished": "2026-01-13T15:28:50.686Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:18.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23021 (GCVE-0-2026-23021)
Vulnerability from cvelistv5
Published
2026-01-31 11:39
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: pegasus: fix memory leak in update_eth_regs_async()
When asynchronously writing to the device registers and if usb_submit_urb()
fail, the code fail to release allocated to this point resources.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 323b34963d113efb566635f43858f40cce01d5f9 Version: 323b34963d113efb566635f43858f40cce01d5f9 Version: 323b34963d113efb566635f43858f40cce01d5f9 Version: 323b34963d113efb566635f43858f40cce01d5f9 Version: 323b34963d113efb566635f43858f40cce01d5f9 Version: 323b34963d113efb566635f43858f40cce01d5f9 Version: 323b34963d113efb566635f43858f40cce01d5f9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5397ea6d21c35a17707e201a60761bdee00bcc4e",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "a40af9a2904a1ab8ce61866ebe2a894ef30754ba",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "ac5d92d2826dec51e5d4c6854865bc5817277452",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "93f18eaa190374e0f2d253e3b1a65cee19a7abe6",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "471dfb97599eec74e0476046b3ef8e7037f27b34",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "ce6eef731aba23a988decea1df3b08cf978f7b01",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
},
{
"lessThan": "afa27621a28af317523e0836dad430bec551eb54",
"status": "affected",
"version": "323b34963d113efb566635f43858f40cce01d5f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: fix memory leak in update_eth_regs_async()\n\nWhen asynchronously writing to the device registers and if usb_submit_urb()\nfail, the code fail to release allocated to this point resources."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:14.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5397ea6d21c35a17707e201a60761bdee00bcc4e"
},
{
"url": "https://git.kernel.org/stable/c/a40af9a2904a1ab8ce61866ebe2a894ef30754ba"
},
{
"url": "https://git.kernel.org/stable/c/ac5d92d2826dec51e5d4c6854865bc5817277452"
},
{
"url": "https://git.kernel.org/stable/c/93f18eaa190374e0f2d253e3b1a65cee19a7abe6"
},
{
"url": "https://git.kernel.org/stable/c/471dfb97599eec74e0476046b3ef8e7037f27b34"
},
{
"url": "https://git.kernel.org/stable/c/ce6eef731aba23a988decea1df3b08cf978f7b01"
},
{
"url": "https://git.kernel.org/stable/c/afa27621a28af317523e0836dad430bec551eb54"
}
],
"title": "net: usb: pegasus: fix memory leak in update_eth_regs_async()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23021",
"datePublished": "2026-01-31T11:39:05.152Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-02-09T08:37:14.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22980 (GCVE-0-2026-22980)
Vulnerability from cvelistv5
Published
2026-01-23 15:24
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: provide locking for v4_end_grace
Writing to v4_end_grace can race with server shutdown and result in
memory being accessed after it was freed - reclaim_str_hashtbl in
particularly.
We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
held while client_tracking_op->init() is called and that can wait for
an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
deadlock.
nfsd4_end_grace() is also called by the landromat work queue and this
doesn't require locking as server shutdown will stop the work and wait
for it before freeing anything that nfsd4_end_grace() might access.
However, we must be sure that writing to v4_end_grace doesn't restart
the work item after shutdown has already waited for it. For this we
add a new flag protected with nn->client_lock. It is set only while it
is safe to make client tracking calls, and v4_end_grace only schedules
work while the flag is set with the spinlock held.
So this patch adds a nfsd_net field "client_tracking_active" which is
set as described. Another field "grace_end_forced", is set when
v4_end_grace is written. After this is set, and providing
client_tracking_active is set, the laundromat is scheduled.
This "grace_end_forced" field bypasses other checks for whether the
grace period has finished.
This resolves a race which can result in use-after-free.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 Version: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 Version: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 Version: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 Version: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 Version: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 Version: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/netns.h",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca97360860eb02e3ae4ba42c19b439a0fcecbf06",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "e8bfa2401d4c51eca6e48e9b33c798828ca9df61",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "34eb22836e0cdba093baac66599d68c4cd245a9d",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "06600719d0f7a723811c45e4d51f5b742f345309",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "ba4811c8b433bfa681729ca42cc62b6034f223b0",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "53f07d095e7e680c5e4569a55a019f2c0348cdc6",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "2857bd59feb63fcf40fe4baf55401baea6b4feb4",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/netns.h",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: provide locking for v4_end_grace\n\nWriting to v4_end_grace can race with server shutdown and result in\nmemory being accessed after it was freed - reclaim_str_hashtbl in\nparticularly.\n\nWe cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is\nheld while client_tracking_op-\u003einit() is called and that can wait for\nan upcall to nfsdcltrack which can write to v4_end_grace, resulting in a\ndeadlock.\n\nnfsd4_end_grace() is also called by the landromat work queue and this\ndoesn\u0027t require locking as server shutdown will stop the work and wait\nfor it before freeing anything that nfsd4_end_grace() might access.\n\nHowever, we must be sure that writing to v4_end_grace doesn\u0027t restart\nthe work item after shutdown has already waited for it. For this we\nadd a new flag protected with nn-\u003eclient_lock. It is set only while it\nis safe to make client tracking calls, and v4_end_grace only schedules\nwork while the flag is set with the spinlock held.\n\nSo this patch adds a nfsd_net field \"client_tracking_active\" which is\nset as described. Another field \"grace_end_forced\", is set when\nv4_end_grace is written. After this is set, and providing\nclient_tracking_active is set, the laundromat is scheduled.\nThis \"grace_end_forced\" field bypasses other checks for whether the\ngrace period has finished.\n\nThis resolves a race which can result in use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:30.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06"
},
{
"url": "https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61"
},
{
"url": "https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d"
},
{
"url": "https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309"
},
{
"url": "https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0"
},
{
"url": "https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6"
},
{
"url": "https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4"
}
],
"title": "nfsd: provide locking for v4_end_grace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22980",
"datePublished": "2026-01-23T15:24:02.924Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:30.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40109 (GCVE-0-2025-40109)
Vulnerability from cvelistv5
Published
2025-11-09 04:35
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: rng - Ensure set_ent is always present
Ensure that set_ent is always set since only drbg provides it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 Version: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 Version: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 Version: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 Version: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 Version: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 Version: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 Version: 77ebdabe8de7c02f43c6de3357f79ff96f9f0579 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15d6f42da1bb527629d8e1067b1302d58dec9166",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "bd903c25b652c331831226cdf56c8179d18e43f4",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "17acbcd44fe8dc17dc1072375e76df2d52da6ac8",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "ab172f4f42626549b02bada05f09e3f2b0cc26ec",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "c5c703b50e91dd4748769f4c5ab50d9ad60be370",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "e247a7d138e514a40edda7c4d72c8bd49bb2cad3",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "915cb75983bc5e8b80f8a2f25a4af463f7b18c14",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
},
{
"lessThan": "c0d36727bf39bb16ef0a67ed608e279535ebf0da",
"status": "affected",
"version": "77ebdabe8de7c02f43c6de3357f79ff96f9f0579",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rng - Ensure set_ent is always present\n\nEnsure that set_ent is always set since only drbg provides it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:12.220Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15d6f42da1bb527629d8e1067b1302d58dec9166"
},
{
"url": "https://git.kernel.org/stable/c/bd903c25b652c331831226cdf56c8179d18e43f4"
},
{
"url": "https://git.kernel.org/stable/c/17acbcd44fe8dc17dc1072375e76df2d52da6ac8"
},
{
"url": "https://git.kernel.org/stable/c/ab172f4f42626549b02bada05f09e3f2b0cc26ec"
},
{
"url": "https://git.kernel.org/stable/c/c5c703b50e91dd4748769f4c5ab50d9ad60be370"
},
{
"url": "https://git.kernel.org/stable/c/e247a7d138e514a40edda7c4d72c8bd49bb2cad3"
},
{
"url": "https://git.kernel.org/stable/c/915cb75983bc5e8b80f8a2f25a4af463f7b18c14"
},
{
"url": "https://git.kernel.org/stable/c/c0d36727bf39bb16ef0a67ed608e279535ebf0da"
}
],
"title": "crypto: rng - Ensure set_ent is always present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40109",
"datePublished": "2025-11-09T04:35:59.979Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:12.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23080 (GCVE-0-2026-23080)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback mcba_usb_read_bulk_callback(), the URBs are processed and
resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b34c611a4feb81921bc4728c091e4e3ba0270c0",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "59153b6388e05609144ad56a9b354e9100a91983",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "179f6f0cf5ae489743273b7c1644324c0c477ea9",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "94c9f6f7b953f6382fef4bdc48c046b861b8868f",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "d374d715e338dfc3804aaa006fa6e470ffebb264",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "710a7529fb13c5a470258ff5508ed3c498d54729",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn mcba_usb_probe() -\u003e mcba_usb_start(), the URBs for USB-in transfers are\nallocated, added to the priv-\u003erx_submitted anchor and submitted. In the\ncomplete callback mcba_usb_read_bulk_callback(), the URBs are processed and\nresubmitted. In mcba_usb_close() -\u003e mcba_urb_unlink() the URBs are freed by\ncalling usb_kill_anchored_urbs(\u0026priv-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nmcba_usb_read_bulk_callback()to the priv-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:19.968Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0"
},
{
"url": "https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60"
},
{
"url": "https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983"
},
{
"url": "https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9"
},
{
"url": "https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f"
},
{
"url": "https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264"
},
{
"url": "https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729"
}
],
"title": "can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23080",
"datePublished": "2026-02-04T16:08:04.982Z",
"dateReserved": "2026-01-13T15:37:45.959Z",
"dateUpdated": "2026-02-09T08:38:19.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71104 (GCVE-0-2025-71104)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
When advancing the target expiration for the guest's APIC timer in periodic
mode, set the expiration to "now" if the target expiration is in the past
(similar to what is done in update_target_expiration()). Blindly adding
the period to the previous target expiration can result in KVM generating
a practically unbounded number of hrtimer IRQs due to programming an
expired timer over and over. In extreme scenarios, e.g. if userspace
pauses/suspends a VM for an extended duration, this can even cause hard
lockups in the host.
Currently, the bug only affects Intel CPUs when using the hypervisor timer
(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,
a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the
HV timer only runs while the guest is active. As a result, if the vCPU
does not run for an extended duration, there will be a huge gap between
the target expiration and the current time the vCPU resumes running.
Because the target expiration is incremented by only one period on each
timer expiration, this leads to a series of timer expirations occurring
rapidly after the vCPU/VM resumes.
More critically, when the vCPU first triggers a periodic HV timer
expiration after resuming, advancing the expiration by only one period
will result in a target expiration in the past. As a result, the delta
may be calculated as a negative value. When the delta is converted into
an absolute value (tscdeadline is an unsigned u64), the resulting value
can overflow what the HV timer is capable of programming. I.e. the large
value will exceed the VMX Preemption Timer's maximum bit width of
cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the
HV timer to the software timer (hrtimers).
After switching to the software timer, periodic timer expiration callbacks
may be executed consecutively within a single clock interrupt handler,
because hrtimers honors KVM's request for an expiration in the past and
immediately re-invokes KVM's callback after reprogramming. And because
the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer
over and over until the target expiration is advanced to "now" can result
in a hard lockup.
E.g. the following hard lockup was triggered in the host when running a
Windows VM (only relevant because it used the APIC timer in periodic mode)
after resuming the VM from a long suspend (in the host).
NMI watchdog: Watchdog detected hard LOCKUP on cpu 45
...
RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]
...
RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046
RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc
RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500
RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0
R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0
R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8
FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0
PKRU: 55555554
Call Trace:
<IRQ>
apic_timer_fn+0x31/0x50 [kvm]
__hrtimer_run_queues+0x100/0x280
hrtimer_interrupt+0x100/0x210
? ttwu_do_wakeup+0x19/0x160
smp_apic_timer_interrupt+0x6a/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
Moreover, if the suspend duration of the virtual machine is not long enough
to trigger a hard lockup in this scenario, since commit 98c25ead5eda
("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM
will continue using the software timer until the guest reprograms the APIC
timer in some way. Since the periodic timer does not require frequent APIC
timer register programming, the guest may continue to use the software
timer in
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc Version: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc Version: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc Version: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc Version: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc Version: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc Version: d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc Version: 421e1fadb0b0a648cc75afd5b3c826fa7daeaffc Version: 5a69b7b69beae9bb86e7e1b095685087976cba47 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "786ed625c125c5cd180d6aaa37e653e3e4ffb8d9",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "807dbe8f3862fa7c164155857550ce94b36a11b9",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "e746e51947053a02af2ea964593dc4887108d379",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "e23f46f1a971c73dad2fd63e1408696114ddebe2",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"lessThan": "18ab3fc8e880791aa9f7c000261320fc812b5465",
"status": "affected",
"version": "d8f2f498d9ed0c5010bc1bbc1146f94c8bf9f8cc",
"versionType": "git"
},
{
"status": "affected",
"version": "421e1fadb0b0a648cc75afd5b3c826fa7daeaffc",
"versionType": "git"
},
{
"status": "affected",
"version": "5a69b7b69beae9bb86e7e1b095685087976cba47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer\n\nWhen advancing the target expiration for the guest\u0027s APIC timer in periodic\nmode, set the expiration to \"now\" if the target expiration is in the past\n(similar to what is done in update_target_expiration()). Blindly adding\nthe period to the previous target expiration can result in KVM generating\na practically unbounded number of hrtimer IRQs due to programming an\nexpired timer over and over. In extreme scenarios, e.g. if userspace\npauses/suspends a VM for an extended duration, this can even cause hard\nlockups in the host.\n\nCurrently, the bug only affects Intel CPUs when using the hypervisor timer\n(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,\na.k.a. hrtimer, which KVM keeps running even on exits to userspace, the\nHV timer only runs while the guest is active. As a result, if the vCPU\ndoes not run for an extended duration, there will be a huge gap between\nthe target expiration and the current time the vCPU resumes running.\nBecause the target expiration is incremented by only one period on each\ntimer expiration, this leads to a series of timer expirations occurring\nrapidly after the vCPU/VM resumes.\n\nMore critically, when the vCPU first triggers a periodic HV timer\nexpiration after resuming, advancing the expiration by only one period\nwill result in a target expiration in the past. As a result, the delta\nmay be calculated as a negative value. When the delta is converted into\nan absolute value (tscdeadline is an unsigned u64), the resulting value\ncan overflow what the HV timer is capable of programming. I.e. the large\nvalue will exceed the VMX Preemption Timer\u0027s maximum bit width of\ncpu_preemption_timer_multi + 32, and thus cause KVM to switch from the\nHV timer to the software timer (hrtimers).\n\nAfter switching to the software timer, periodic timer expiration callbacks\nmay be executed consecutively within a single clock interrupt handler,\nbecause hrtimers honors KVM\u0027s request for an expiration in the past and\nimmediately re-invokes KVM\u0027s callback after reprogramming. And because\nthe interrupt handler runs with IRQs disabled, restarting KVM\u0027s hrtimer\nover and over until the target expiration is advanced to \"now\" can result\nin a hard lockup.\n\nE.g. the following hard lockup was triggered in the host when running a\nWindows VM (only relevant because it used the APIC timer in periodic mode)\nafter resuming the VM from a long suspend (in the host).\n\n NMI watchdog: Watchdog detected hard LOCKUP on cpu 45\n ...\n RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]\n ...\n RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046\n RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc\n RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500\n RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0\n R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0\n R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8\n FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n apic_timer_fn+0x31/0x50 [kvm]\n __hrtimer_run_queues+0x100/0x280\n hrtimer_interrupt+0x100/0x210\n ? ttwu_do_wakeup+0x19/0x160\n smp_apic_timer_interrupt+0x6a/0x130\n apic_timer_interrupt+0xf/0x20\n \u003c/IRQ\u003e\n\nMoreover, if the suspend duration of the virtual machine is not long enough\nto trigger a hard lockup in this scenario, since commit 98c25ead5eda\n(\"KVM: VMX: Move preemption timer \u003c=\u003e hrtimer dance to common x86\"), KVM\nwill continue using the software timer until the guest reprograms the APIC\ntimer in some way. Since the periodic timer does not require frequent APIC\ntimer register programming, the guest may continue to use the software\ntimer in \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:57.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/786ed625c125c5cd180d6aaa37e653e3e4ffb8d9"
},
{
"url": "https://git.kernel.org/stable/c/d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73"
},
{
"url": "https://git.kernel.org/stable/c/807dbe8f3862fa7c164155857550ce94b36a11b9"
},
{
"url": "https://git.kernel.org/stable/c/7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed"
},
{
"url": "https://git.kernel.org/stable/c/e746e51947053a02af2ea964593dc4887108d379"
},
{
"url": "https://git.kernel.org/stable/c/e23f46f1a971c73dad2fd63e1408696114ddebe2"
},
{
"url": "https://git.kernel.org/stable/c/18ab3fc8e880791aa9f7c000261320fc812b5465"
}
],
"title": "KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71104",
"datePublished": "2026-01-14T15:05:53.802Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-02-09T08:34:57.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71094 (GCVE-0-2025-71094)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: validate PHY address before use
The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():
addr 207 out of range
WARNING: drivers/net/phy/mdio_bus.c:76
Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b Version: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b Version: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b Version: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b Version: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b Version: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b Version: 4e4f3cb41d687bd64cd03358862b23c84d82329e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c",
"drivers/net/usb/ax88172a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc96018f09f8d30586ca6582c5045a84eafef146",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "f5f4f30f3811d37e1aa48667c36add74e5a8d99f",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "38722e69ee64dbb020028c93898d25d6f4c0e0b2",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "98a12c2547a44a5f03f35c108d2022cc652cbc4d",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "bf8a0f3b787ca7c5889bfca12c60c483041fbee3",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "a1e077a3f76eea0dc671ed6792e7d543946227e8",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"status": "affected",
"version": "4e4f3cb41d687bd64cd03358862b23c84d82329e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c",
"drivers/net/usb/ax88172a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: validate PHY address before use\n\nThe ASIX driver reads the PHY address from the USB device via\nasix_read_phy_addr(). A malicious or faulty device can return an\ninvalid address (\u003e= PHY_MAX_ADDR), which causes a warning in\nmdiobus_get_phy():\n\n addr 207 out of range\n WARNING: drivers/net/phy/mdio_bus.c:76\n\nValidate the PHY address in asix_read_phy_addr() and remove the\nnow-redundant check in ax88172a.c."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:46.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146"
},
{
"url": "https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f"
},
{
"url": "https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2"
},
{
"url": "https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d"
},
{
"url": "https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3"
},
{
"url": "https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8"
}
],
"title": "net: usb: asix: validate PHY address before use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71094",
"datePublished": "2026-01-13T15:34:54.669Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:46.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40088 (GCVE-0-2025-40088)
Vulnerability from cvelistv5
Published
2025-10-30 09:47
Modified
2026-01-02 15:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
The hfsplus_strcasecmp() logic can trigger the issue:
[ 117.317703][ T9855] ==================================================================
[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490
[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855
[ 117.319577][ T9855]
[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)
[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 117.319783][ T9855] Call Trace:
[ 117.319785][ T9855] <TASK>
[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0
[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10
[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0
[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0
[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40
[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0
[ 117.319842][ T9855] print_report+0x17e/0x7e0
[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0
[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180
[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490
[ 117.319876][ T9855] kasan_report+0x147/0x180
[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490
[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490
[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10
[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0
[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470
[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10
[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10
[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510
[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10
[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510
[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0
[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120
[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890
[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10
[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0
[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80
[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10
[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100
[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150
[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0
[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10
[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0
[ 117.320055][ T9855] lookup_slow+0x53/0x70
[ 117.320065][ T9855] walk_component+0x2f0/0x430
[ 117.320073][ T9855] path_lookupat+0x169/0x440
[ 117.320081][ T9855] filename_lookup+0x212/0x590
[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10
[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290
[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540
[ 117.320112][ T9855] user_path_at+0x3a/0x60
[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160
[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10
[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0
[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0
[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0
[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07
[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08
[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "603158d4efa98a13a746bd586c20f194f4a31ec8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef250c3edd995d7bb5a5e5122ffad1c28a8686eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ab44236b32ed41eb0636797e8e8e885a2f3b18a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b47a75b6f762321f9eb6f31aab7bce47a37063b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "586c75dfd1d265c4150f6529debb85c9d62e101f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4bc081ba6c52b0c88c92701e3fbc33c7e2277afb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "42520df65bf67189541a425f7d36b0b3e7bd7844",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/unicode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()\n\nThe hfsplus_strcasecmp() logic can trigger the issue:\n\n[ 117.317703][ T9855] ==================================================================\n[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490\n[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855\n[ 117.319577][ T9855]\n[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)\n[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 117.319783][ T9855] Call Trace:\n[ 117.319785][ T9855] \u003cTASK\u003e\n[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0\n[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10\n[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0\n[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0\n[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40\n[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0\n[ 117.319842][ T9855] print_report+0x17e/0x7e0\n[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0\n[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180\n[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319876][ T9855] kasan_report+0x147/0x180\n[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10\n[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0\n[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470\n[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10\n[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10\n[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510\n[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10\n[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510\n[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0\n[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120\n[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890\n[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10\n[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0\n[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80\n[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10\n[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100\n[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150\n[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0\n[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10\n[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0\n[ 117.320055][ T9855] lookup_slow+0x53/0x70\n[ 117.320065][ T9855] walk_component+0x2f0/0x430\n[ 117.320073][ T9855] path_lookupat+0x169/0x440\n[ 117.320081][ T9855] filename_lookup+0x212/0x590\n[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10\n[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290\n[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540\n[ 117.320112][ T9855] user_path_at+0x3a/0x60\n[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160\n[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10\n[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0\n[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0\n[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0\n[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07\n[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08\n[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:59.198Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/603158d4efa98a13a746bd586c20f194f4a31ec8"
},
{
"url": "https://git.kernel.org/stable/c/ef250c3edd995d7bb5a5e5122ffad1c28a8686eb"
},
{
"url": "https://git.kernel.org/stable/c/7ab44236b32ed41eb0636797e8e8e885a2f3b18a"
},
{
"url": "https://git.kernel.org/stable/c/b47a75b6f762321f9eb6f31aab7bce47a37063b7"
},
{
"url": "https://git.kernel.org/stable/c/4f5ab4a9c6abd8b0d713cc2b7b041bc10d70f241"
},
{
"url": "https://git.kernel.org/stable/c/586c75dfd1d265c4150f6529debb85c9d62e101f"
},
{
"url": "https://git.kernel.org/stable/c/4bc081ba6c52b0c88c92701e3fbc33c7e2277afb"
},
{
"url": "https://git.kernel.org/stable/c/42520df65bf67189541a425f7d36b0b3e7bd7844"
}
],
"title": "hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40088",
"datePublished": "2025-10-30T09:47:57.333Z",
"dateReserved": "2025-04-16T07:20:57.162Z",
"dateUpdated": "2026-01-02T15:32:59.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23064 (GCVE-0-2026-23064)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ife: avoid possible NULL deref
tcf_ife_encode() must make sure ife_encode() does not return NULL.
syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166
CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
<TASK>
ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101
tcf_ife_encode net/sched/act_ife.c:841 [inline]
tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877
tc_act include/net/tc_wrapper.h:130 [inline]
tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152
tcf_exts_exec include/net/pkt_cls.h:349 [inline]
mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42
tc_classify include/net/tc_wrapper.h:197 [inline]
__tcf_classify net/sched/cls_api.c:1764 [inline]
tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860
multiq_classify net/sched/sch_multiq.c:39 [inline]
multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66
dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147
__dev_xmit_skb net/core/dev.c:4262 [inline]
__dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c Version: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c Version: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c Version: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c Version: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c Version: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c Version: 295a6e06d21e1f469c9f38b00125a13b60ad4e7c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ef2c77851676b7ed106f0c47755bee9eeec9a40",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "dd9442aedbeae87c44cc64c0ee41abd296dc008b",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "1440d749fe49c8665da6f744323b1671d25a56a0",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "03710cebfc0bcfe247a9e04381e79ea33896e278",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "374915dfc932adf57712df3be010667fd1190e3c",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "6c75fed55080014545f262b7055081cec4768b20",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
},
{
"lessThan": "27880b0b0d35ad1c98863d09788254e36f874968",
"status": "affected",
"version": "295a6e06d21e1f469c9f38b00125a13b60ad4e7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: avoid possible NULL deref\n\ntcf_ife_encode() must make sure ife_encode() does not return NULL.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166\nCPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)\nCall Trace:\n \u003cTASK\u003e\n ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101\n tcf_ife_encode net/sched/act_ife.c:841 [inline]\n tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877\n tc_act include/net/tc_wrapper.h:130 [inline]\n tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152\n tcf_exts_exec include/net/pkt_cls.h:349 [inline]\n mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42\n tc_classify include/net/tc_wrapper.h:197 [inline]\n __tcf_classify net/sched/cls_api.c:1764 [inline]\n tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860\n multiq_classify net/sched/sch_multiq.c:39 [inline]\n multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66\n dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147\n __dev_xmit_skb net/core/dev.c:4262 [inline]\n __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:03.299Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ef2c77851676b7ed106f0c47755bee9eeec9a40"
},
{
"url": "https://git.kernel.org/stable/c/dd9442aedbeae87c44cc64c0ee41abd296dc008b"
},
{
"url": "https://git.kernel.org/stable/c/1440d749fe49c8665da6f744323b1671d25a56a0"
},
{
"url": "https://git.kernel.org/stable/c/03710cebfc0bcfe247a9e04381e79ea33896e278"
},
{
"url": "https://git.kernel.org/stable/c/374915dfc932adf57712df3be010667fd1190e3c"
},
{
"url": "https://git.kernel.org/stable/c/6c75fed55080014545f262b7055081cec4768b20"
},
{
"url": "https://git.kernel.org/stable/c/27880b0b0d35ad1c98863d09788254e36f874968"
}
],
"title": "net/sched: act_ife: avoid possible NULL deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23064",
"datePublished": "2026-02-04T16:07:46.329Z",
"dateReserved": "2026-01-13T15:37:45.953Z",
"dateUpdated": "2026-02-09T08:38:03.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23164 (GCVE-0-2026-23164)
Vulnerability from cvelistv5
Published
2026-02-14 16:01
Modified
2026-02-14 16:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rocker: fix memory leak in rocker_world_port_post_fini()
In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
rocker_world_port_post_fini(), the memory is only freed when
wops->port_post_fini callback is set:
if (!wops->port_post_fini)
return;
wops->port_post_fini(rocker_port);
kfree(rocker_port->wpriv);
Since rocker_ofdpa_ops does not implement port_post_fini callback
(it is NULL), the wpriv memory allocated for each port is never freed
when ports are removed. This leads to a memory leak of
sizeof(struct ofdpa_port) bytes per port on every device removal.
Fix this by always calling kfree(rocker_port->wpriv) regardless of
whether the port_post_fini callback exists.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e420114eef4a3a5025a243b89b0dc343101e3d3c Version: e420114eef4a3a5025a243b89b0dc343101e3d3c Version: e420114eef4a3a5025a243b89b0dc343101e3d3c Version: e420114eef4a3a5025a243b89b0dc343101e3d3c Version: e420114eef4a3a5025a243b89b0dc343101e3d3c Version: e420114eef4a3a5025a243b89b0dc343101e3d3c Version: e420114eef4a3a5025a243b89b0dc343101e3d3c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rocker/rocker_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a3a64d75d2d0727da285749476761ebcad557a3",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "b11e6f926480ab0939fec44781f28558c54be4e7",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "8ce2e85889939c02740b4245301aa5c35fc94887",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "d448bf96889f1905e740c554780f5c9fa0440566",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "d8723917efda3b4f4c3de78d1ec1e1af015c0be1",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "dce375f4afc348c310d171abcde7ec1499a4c26a",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "8d7ba71e46216b8657a82ca2ec118bc93812a4d0",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rocker/rocker_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrocker: fix memory leak in rocker_world_port_post_fini()\n\nIn rocker_world_port_pre_init(), rocker_port-\u003ewpriv is allocated with\nkzalloc(wops-\u003eport_priv_size, GFP_KERNEL). However, in\nrocker_world_port_post_fini(), the memory is only freed when\nwops-\u003eport_post_fini callback is set:\n\n if (!wops-\u003eport_post_fini)\n return;\n wops-\u003eport_post_fini(rocker_port);\n kfree(rocker_port-\u003ewpriv);\n\nSince rocker_ofdpa_ops does not implement port_post_fini callback\n(it is NULL), the wpriv memory allocated for each port is never freed\nwhen ports are removed. This leads to a memory leak of\nsizeof(struct ofdpa_port) bytes per port on every device removal.\n\nFix this by always calling kfree(rocker_port-\u003ewpriv) regardless of\nwhether the port_post_fini callback exists."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:28.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a3a64d75d2d0727da285749476761ebcad557a3"
},
{
"url": "https://git.kernel.org/stable/c/b11e6f926480ab0939fec44781f28558c54be4e7"
},
{
"url": "https://git.kernel.org/stable/c/8ce2e85889939c02740b4245301aa5c35fc94887"
},
{
"url": "https://git.kernel.org/stable/c/d448bf96889f1905e740c554780f5c9fa0440566"
},
{
"url": "https://git.kernel.org/stable/c/d8723917efda3b4f4c3de78d1ec1e1af015c0be1"
},
{
"url": "https://git.kernel.org/stable/c/dce375f4afc348c310d171abcde7ec1499a4c26a"
},
{
"url": "https://git.kernel.org/stable/c/8d7ba71e46216b8657a82ca2ec118bc93812a4d0"
}
],
"title": "rocker: fix memory leak in rocker_world_port_post_fini()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23164",
"datePublished": "2026-02-14T16:01:28.624Z",
"dateReserved": "2026-01-13T15:37:45.980Z",
"dateUpdated": "2026-02-14T16:01:28.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68774 (GCVE-0-2025-68774)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
When sync() and link() are called concurrently, both threads may
enter hfs_bnode_find() without finding the node in the hash table
and proceed to create it.
Thread A:
hfsplus_write_inode()
-> hfsplus_write_system_inode()
-> hfs_btree_write()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
Thread B:
hfsplus_create_cat()
-> hfs_brec_insert()
-> hfs_bnode_split()
-> hfs_bmap_alloc()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
In this case, thread A creates the bnode, sets refcnt=1, and hashes it.
Thread B also tries to create the same bnode, notices it has already
been inserted, drops its own instance, and uses the hashed one without
getting the node.
```
node2 = hfs_bnode_findhash(tree, cnid);
if (!node2) { <- Thread A
hash = hfs_bnode_hash(cnid);
node->next_hash = tree->node_hash[hash];
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else { <- Thread B
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
!test_bit(HFS_BNODE_NEW, &node2->flags));
return node2;
}
```
However, hfs_bnode_find() requires each call to take a reference.
Here both threads end up setting refcnt=1. When they later put the node,
this triggers:
BUG_ON(!atomic_read(&node->refcnt))
In this scenario, Thread B in fact finds the node in the hash table
rather than creating a new one, and thus must take a reference.
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by
another thread to ensure the refcount is updated correctly.
A similar bug was fixed in HFS long ago in commit
a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create")
but the same issue remained in HFS+ until now.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b0fc7af50b896d0f3d104e70787ba1973bc0b56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39e149d58ef4d7883cbf87448d39d51292fd342d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b68dc4134b18a3922cd33439ec614aad4172bc86",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9d1c6bb5f19460074ce9862cb80be86b5fb0a50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "457f795e7abd7770de10216d7f9994a3f12a56d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5882e7c8cdbb5e254a69628b780acff89c78071e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "152af114287851583cf7e0abc10129941f19466a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nWhen sync() and link() are called concurrently, both threads may\nenter hfs_bnode_find() without finding the node in the hash table\nand proceed to create it.\n\nThread A:\n hfsplus_write_inode()\n -\u003e hfsplus_write_system_inode()\n -\u003e hfs_btree_write()\n -\u003e hfs_bnode_find(tree, 0)\n -\u003e __hfs_bnode_create(tree, 0)\n\nThread B:\n hfsplus_create_cat()\n -\u003e hfs_brec_insert()\n -\u003e hfs_bnode_split()\n -\u003e hfs_bmap_alloc()\n -\u003e hfs_bnode_find(tree, 0)\n -\u003e __hfs_bnode_create(tree, 0)\n\nIn this case, thread A creates the bnode, sets refcnt=1, and hashes it.\nThread B also tries to create the same bnode, notices it has already\nbeen inserted, drops its own instance, and uses the hashed one without\ngetting the node.\n\n```\n\n\tnode2 = hfs_bnode_findhash(tree, cnid);\n\tif (!node2) { \u003c- Thread A\n\t\thash = hfs_bnode_hash(cnid);\n\t\tnode-\u003enext_hash = tree-\u003enode_hash[hash];\n\t\ttree-\u003enode_hash[hash] = node;\n\t\ttree-\u003enode_hash_cnt++;\n\t} else { \u003c- Thread B\n\t\tspin_unlock(\u0026tree-\u003ehash_lock);\n\t\tkfree(node);\n\t\twait_event(node2-\u003elock_wq,\n\t\t\t!test_bit(HFS_BNODE_NEW, \u0026node2-\u003eflags));\n\t\treturn node2;\n\t}\n```\n\nHowever, hfs_bnode_find() requires each call to take a reference.\nHere both threads end up setting refcnt=1. When they later put the node,\nthis triggers:\n\nBUG_ON(!atomic_read(\u0026node-\u003erefcnt))\n\nIn this scenario, Thread B in fact finds the node in the hash table\nrather than creating a new one, and thus must take a reference.\n\nFix this by calling hfs_bnode_get() when reusing a bnode newly created by\nanother thread to ensure the refcount is updated correctly.\n\nA similar bug was fixed in HFS long ago in commit\na9dc087fd3c4 (\"fix missing hfs_bnode_get() in __hfs_bnode_create\")\nbut the same issue remained in HFS+ until now."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:19.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56"
},
{
"url": "https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d"
},
{
"url": "https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86"
},
{
"url": "https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50"
},
{
"url": "https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6"
},
{
"url": "https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e"
},
{
"url": "https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a"
}
],
"title": "hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68774",
"datePublished": "2026-01-13T15:28:51.379Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:19.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68284 (GCVE-0-2025-68284)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2026-01-02 15:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
The len field originates from untrusted network packets. Boundary
checks have been added to prevent potential out-of-bounds writes when
decrypting the connection secret or processing service tickets.
[ idryomov: changelog ]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 Version: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 Version: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 Version: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 Version: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 Version: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/auth_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f22c55a20a2d9ffbbac57408d5d488cef8201e9d",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "ccbccfba25e9aa395daaea156b5e7790910054c4",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "5ef575834ca99f719d7573cdece9df2fe2b72424",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "6920ff09bf911bc919cd7a6b7176fbdd1a6e6850",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "7fce830ecd0a0256590ee37eb65a39cbad3d64fc",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/auth_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds writes in handle_auth_session_key()\n\nThe len field originates from untrusted network packets. Boundary\nchecks have been added to prevent potential out-of-bounds writes when\ndecrypting the connection secret or processing service tickets.\n\n[ idryomov: changelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:48.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f22c55a20a2d9ffbbac57408d5d488cef8201e9d"
},
{
"url": "https://git.kernel.org/stable/c/8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09"
},
{
"url": "https://git.kernel.org/stable/c/ccbccfba25e9aa395daaea156b5e7790910054c4"
},
{
"url": "https://git.kernel.org/stable/c/5ef575834ca99f719d7573cdece9df2fe2b72424"
},
{
"url": "https://git.kernel.org/stable/c/6920ff09bf911bc919cd7a6b7176fbdd1a6e6850"
},
{
"url": "https://git.kernel.org/stable/c/7fce830ecd0a0256590ee37eb65a39cbad3d64fc"
}
],
"title": "libceph: prevent potential out-of-bounds writes in handle_auth_session_key()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68284",
"datePublished": "2025-12-16T15:06:06.235Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-01-02T15:34:48.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68756 (GCVE-0-2025-68756)
Vulnerability from cvelistv5
Published
2026-01-05 09:32
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
blk_mq_{add,del}_queue_tag_set() functions add and remove queues from
tagset, the functions make sure that tagset and queues are marked as
shared when two or more queues are attached to the same tagset.
Initially a tagset starts as unshared and when the number of added
queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along
with all the queues attached to it. When the number of attached queues
drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and
the remaining queues as unshared.
Both functions need to freeze current queues in tagset before setting on
unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions
hold set->tag_list_lock mutex, which makes sense as we do not want
queues to be added or deleted in the process. This used to work fine
until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset")
made the nvme driver quiesce tagset instead of quiscing individual
queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in
set->tag_list while holding set->tag_list_lock also.
This results in deadlock between two threads with these stacktraces:
__schedule+0x47c/0xbb0
? timerqueue_add+0x66/0xb0
schedule+0x1c/0xa0
schedule_preempt_disabled+0xa/0x10
__mutex_lock.constprop.0+0x271/0x600
blk_mq_quiesce_tagset+0x25/0xc0
nvme_dev_disable+0x9c/0x250
nvme_timeout+0x1fc/0x520
blk_mq_handle_expired+0x5c/0x90
bt_iter+0x7e/0x90
blk_mq_queue_tag_busy_iter+0x27e/0x550
? __blk_mq_complete_request_remote+0x10/0x10
? __blk_mq_complete_request_remote+0x10/0x10
? __call_rcu_common.constprop.0+0x1c0/0x210
blk_mq_timeout_work+0x12d/0x170
process_one_work+0x12e/0x2d0
worker_thread+0x288/0x3a0
? rescuer_thread+0x480/0x480
kthread+0xb8/0xe0
? kthread_park+0x80/0x80
ret_from_fork+0x2d/0x50
? kthread_park+0x80/0x80
ret_from_fork_asm+0x11/0x20
__schedule+0x47c/0xbb0
? xas_find+0x161/0x1a0
schedule+0x1c/0xa0
blk_mq_freeze_queue_wait+0x3d/0x70
? destroy_sched_domains_rcu+0x30/0x30
blk_mq_update_tag_set_shared+0x44/0x80
blk_mq_exit_queue+0x141/0x150
del_gendisk+0x25a/0x2d0
nvme_ns_remove+0xc9/0x170
nvme_remove_namespaces+0xc7/0x100
nvme_remove+0x62/0x150
pci_device_remove+0x23/0x60
device_release_driver_internal+0x159/0x200
unbind_store+0x99/0xa0
kernfs_fop_write_iter+0x112/0x1e0
vfs_write+0x2b1/0x3d0
ksys_write+0x4e/0xb0
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The top stacktrace is showing nvme_timeout() called to handle nvme
command timeout. timeout handler is trying to disable the controller and
as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not
to call queue callback handlers. The thread is stuck waiting for
set->tag_list_lock as it tries to walk the queues in set->tag_list.
The lock is held by the second thread in the bottom stack which is
waiting for one of queues to be frozen. The queue usage counter will
drop to zero after nvme_timeout() finishes, and this will not happen
because the thread will wait for this mutex forever.
Given that [un]quiescing queue is an operation that does not need to
sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking
set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU
safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list)
in blk_mq_del_queue_tag_set() because we can not re-initialize it while
the list is being traversed under RCU. The deleted queue will not be
added/deleted to/from a tagset and it will be freed in blk_free_queue()
after the end of RCU grace period.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca8764c0ea1fb825f17f19704af55e9e02c9f768",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "3baeec23a82e7ee9691f434c6ab0ab1387326108",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "6e8d363786765a81e35083e0909e076796468edf",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "ef0cd7b694928573f6569e61c14f5f059253162e",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "59e25ef2b413c72da6686d431e7759302cfccafa",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Use RCU in blk_mq_[un]quiesce_tagset() instead of set-\u003etag_list_lock\n\nblk_mq_{add,del}_queue_tag_set() functions add and remove queues from\ntagset, the functions make sure that tagset and queues are marked as\nshared when two or more queues are attached to the same tagset.\nInitially a tagset starts as unshared and when the number of added\nqueues reaches two, blk_mq_add_queue_tag_set() marks it as shared along\nwith all the queues attached to it. When the number of attached queues\ndrops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and\nthe remaining queues as unshared.\n\nBoth functions need to freeze current queues in tagset before setting on\nunsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions\nhold set-\u003etag_list_lock mutex, which makes sense as we do not want\nqueues to be added or deleted in the process. This used to work fine\nuntil commit 98d81f0df70c (\"nvme: use blk_mq_[un]quiesce_tagset\")\nmade the nvme driver quiesce tagset instead of quiscing individual\nqueues. blk_mq_quiesce_tagset() does the job and quiesce the queues in\nset-\u003etag_list while holding set-\u003etag_list_lock also.\n\nThis results in deadlock between two threads with these stacktraces:\n\n __schedule+0x47c/0xbb0\n ? timerqueue_add+0x66/0xb0\n schedule+0x1c/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.constprop.0+0x271/0x600\n blk_mq_quiesce_tagset+0x25/0xc0\n nvme_dev_disable+0x9c/0x250\n nvme_timeout+0x1fc/0x520\n blk_mq_handle_expired+0x5c/0x90\n bt_iter+0x7e/0x90\n blk_mq_queue_tag_busy_iter+0x27e/0x550\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __call_rcu_common.constprop.0+0x1c0/0x210\n blk_mq_timeout_work+0x12d/0x170\n process_one_work+0x12e/0x2d0\n worker_thread+0x288/0x3a0\n ? rescuer_thread+0x480/0x480\n kthread+0xb8/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n\n __schedule+0x47c/0xbb0\n ? xas_find+0x161/0x1a0\n schedule+0x1c/0xa0\n blk_mq_freeze_queue_wait+0x3d/0x70\n ? destroy_sched_domains_rcu+0x30/0x30\n blk_mq_update_tag_set_shared+0x44/0x80\n blk_mq_exit_queue+0x141/0x150\n del_gendisk+0x25a/0x2d0\n nvme_ns_remove+0xc9/0x170\n nvme_remove_namespaces+0xc7/0x100\n nvme_remove+0x62/0x150\n pci_device_remove+0x23/0x60\n device_release_driver_internal+0x159/0x200\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x112/0x1e0\n vfs_write+0x2b1/0x3d0\n ksys_write+0x4e/0xb0\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe top stacktrace is showing nvme_timeout() called to handle nvme\ncommand timeout. timeout handler is trying to disable the controller and\nas a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not\nto call queue callback handlers. The thread is stuck waiting for\nset-\u003etag_list_lock as it tries to walk the queues in set-\u003etag_list.\n\nThe lock is held by the second thread in the bottom stack which is\nwaiting for one of queues to be frozen. The queue usage counter will\ndrop to zero after nvme_timeout() finishes, and this will not happen\nbecause the thread will wait for this mutex forever.\n\nGiven that [un]quiescing queue is an operation that does not need to\nsleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking\nset-\u003etag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU\nsafe list operations. Also, delete INIT_LIST_HEAD(\u0026q-\u003etag_set_list)\nin blk_mq_del_queue_tag_set() because we can not re-initialize it while\nthe list is being traversed under RCU. The deleted queue will not be\nadded/deleted to/from a tagset and it will be freed in blk_free_queue()\nafter the end of RCU grace period."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:00.580Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca8764c0ea1fb825f17f19704af55e9e02c9f768"
},
{
"url": "https://git.kernel.org/stable/c/3baeec23a82e7ee9691f434c6ab0ab1387326108"
},
{
"url": "https://git.kernel.org/stable/c/6e8d363786765a81e35083e0909e076796468edf"
},
{
"url": "https://git.kernel.org/stable/c/ef0cd7b694928573f6569e61c14f5f059253162e"
},
{
"url": "https://git.kernel.org/stable/c/59e25ef2b413c72da6686d431e7759302cfccafa"
}
],
"title": "block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set-\u003etag_list_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68756",
"datePublished": "2026-01-05T09:32:29.824Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:00.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71127 (GCVE-0-2025-71127)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Discard Beacon frames to non-broadcast address
Beacon frames are required to be sent to the broadcast address, see IEEE
Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame
shall be set to the broadcast address"). A unicast Beacon frame might be
used as a targeted attack to get one of the associated STAs to do
something (e.g., using CSA to move it to another channel). As such, it
is better have strict filtering for this on the received side and
discard all Beacon frames that are sent to an unexpected address.
This is even more important for cases where beacon protection is used.
The current implementation in mac80211 is correctly discarding unicast
Beacon frames if the Protected Frame bit in the Frame Control field is
set to 0. However, if that bit is set to 1, the logic used for checking
for configured BIGTK(s) does not actually work. If the driver does not
have logic for dropping unicast Beacon frames with Protected Frame bit
1, these frames would be accepted in mac80211 processing as valid Beacon
frames even though they are not protected. This would allow beacon
protection to be bypassed. While the logic for checking beacon
protection could be extended to cover this corner case, a more generic
check for discard all Beacon frames based on A1=unicast address covers
this without needing additional changes.
Address all these issues by dropping received Beacon frames if they are
sent to a non-broadcast address.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: af2d14b01c32d7cba65f73503586e5b621afb139 Version: af2d14b01c32d7cba65f73503586e5b621afb139 Version: af2d14b01c32d7cba65f73503586e5b621afb139 Version: af2d14b01c32d7cba65f73503586e5b621afb139 Version: af2d14b01c32d7cba65f73503586e5b621afb139 Version: af2d14b01c32d7cba65f73503586e5b621afb139 Version: af2d14b01c32d7cba65f73503586e5b621afb139 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be0974be5c42584e027883ac2af7dab5e950098c",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "0a59a3895f804469276d188effa511c72e752f35",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "88aab153d1528bc559292a12fb5105ee97528e1f",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "6e5bff40bb38741e40c33043ba0816fba5f93661",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "7b240a8935d554ad36a52c2c37c32039f9afaef2",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "a21704df4024708be698fb3fd5830d5b113b70e0",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
},
{
"lessThan": "193d18f60588e95d62e0f82b6a53893e5f2f19f8",
"status": "affected",
"version": "af2d14b01c32d7cba65f73503586e5b621afb139",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Discard Beacon frames to non-broadcast address\n\nBeacon frames are required to be sent to the broadcast address, see IEEE\nStd 802.11-2020, 11.1.3.1 (\"The Address 1 field of the Beacon .. frame\nshall be set to the broadcast address\"). A unicast Beacon frame might be\nused as a targeted attack to get one of the associated STAs to do\nsomething (e.g., using CSA to move it to another channel). As such, it\nis better have strict filtering for this on the received side and\ndiscard all Beacon frames that are sent to an unexpected address.\n\nThis is even more important for cases where beacon protection is used.\nThe current implementation in mac80211 is correctly discarding unicast\nBeacon frames if the Protected Frame bit in the Frame Control field is\nset to 0. However, if that bit is set to 1, the logic used for checking\nfor configured BIGTK(s) does not actually work. If the driver does not\nhave logic for dropping unicast Beacon frames with Protected Frame bit\n1, these frames would be accepted in mac80211 processing as valid Beacon\nframes even though they are not protected. This would allow beacon\nprotection to be bypassed. While the logic for checking beacon\nprotection could be extended to cover this corner case, a more generic\ncheck for discard all Beacon frames based on A1=unicast address covers\nthis without needing additional changes.\n\nAddress all these issues by dropping received Beacon frames if they are\nsent to a non-broadcast address."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:22.963Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c"
},
{
"url": "https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35"
},
{
"url": "https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f"
},
{
"url": "https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661"
},
{
"url": "https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2"
},
{
"url": "https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0"
},
{
"url": "https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8"
}
],
"title": "wifi: mac80211: Discard Beacon frames to non-broadcast address",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71127",
"datePublished": "2026-01-14T15:07:44.218Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:22.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40081 (GCVE-0-2025-40081)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
Cast nr_pages to unsigned long to avoid overflow when handling large
AUX buffer sizes (>= 2 GiB).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d5d9696b03808bc6be723cc85288c912c3a05606 Version: d5d9696b03808bc6be723cc85288c912c3a05606 Version: d5d9696b03808bc6be723cc85288c912c3a05606 Version: d5d9696b03808bc6be723cc85288c912c3a05606 Version: d5d9696b03808bc6be723cc85288c912c3a05606 Version: d5d9696b03808bc6be723cc85288c912c3a05606 Version: d5d9696b03808bc6be723cc85288c912c3a05606 Version: d5d9696b03808bc6be723cc85288c912c3a05606 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm_spe_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "656e9a5d69acdd1b20462f4a33378b90ddcb9626",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "9c045d4501f7f70724a3bbb561f4f22d292bbfe6",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "5d01f2b81568289443d22f1e13a363f829de6343",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "7500384d3c9587593d75ded3b006835e7aa73ef8",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "379cae2cb982f571cda9493ac573ab71125fd299",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "1a19ba8e1f4ff24ece8ca69b79df8442c431db90",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "e516cfd19b0f4c774a57b17fb43a7f41991f0735",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "a29fea30dd93da16652930162b177941abd8c75e",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm_spe_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: arm_spe: Prevent overflow in PERF_IDX2OFF()\n\nCast nr_pages to unsigned long to avoid overflow when handling large\nAUX buffer sizes (\u003e= 2 GiB)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:38.737Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/656e9a5d69acdd1b20462f4a33378b90ddcb9626"
},
{
"url": "https://git.kernel.org/stable/c/9c045d4501f7f70724a3bbb561f4f22d292bbfe6"
},
{
"url": "https://git.kernel.org/stable/c/5d01f2b81568289443d22f1e13a363f829de6343"
},
{
"url": "https://git.kernel.org/stable/c/7500384d3c9587593d75ded3b006835e7aa73ef8"
},
{
"url": "https://git.kernel.org/stable/c/379cae2cb982f571cda9493ac573ab71125fd299"
},
{
"url": "https://git.kernel.org/stable/c/1a19ba8e1f4ff24ece8ca69b79df8442c431db90"
},
{
"url": "https://git.kernel.org/stable/c/e516cfd19b0f4c774a57b17fb43a7f41991f0735"
},
{
"url": "https://git.kernel.org/stable/c/a29fea30dd93da16652930162b177941abd8c75e"
}
],
"title": "perf: arm_spe: Prevent overflow in PERF_IDX2OFF()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40081",
"datePublished": "2025-10-28T11:48:45.392Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-12-01T06:17:38.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71149 (GCVE-0-2025-71149)
Vulnerability from cvelistv5
Published
2026-01-23 14:15
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/poll: correctly handle io_poll_add() return value on update
When the core of io_uring was updated to handle completions
consistently and with fixed return codes, the POLL_REMOVE opcode
with updates got slightly broken. If a POLL_ADD is pending and
then POLL_REMOVE is used to update the events of that request, if that
update causes the POLL_ADD to now trigger, then that completion is lost
and a CQE is never posted.
Additionally, ensure that if an update does cause an existing POLL_ADD
to complete, that the completion value isn't always overwritten with
-ECANCELED. For that case, whatever io_poll_add() set the value to
should just be retained.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/poll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b777ab48441b153502772ecfc78c107d4353f29",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
},
{
"lessThan": "0126560370ed5217958b85657b590ad25e8b9c00",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
},
{
"lessThan": "c1669c03bfbc2a9b5ebff4428eecebe734c646fe",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
},
{
"lessThan": "13a8f7b88c2d40c6b33f6216190478dda95d385f",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
},
{
"lessThan": "84230ad2d2afbf0c44c32967e525c0ad92e26b4e",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/poll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: correctly handle io_poll_add() return value on update\n\nWhen the core of io_uring was updated to handle completions\nconsistently and with fixed return codes, the POLL_REMOVE opcode\nwith updates got slightly broken. If a POLL_ADD is pending and\nthen POLL_REMOVE is used to update the events of that request, if that\nupdate causes the POLL_ADD to now trigger, then that completion is lost\nand a CQE is never posted.\n\nAdditionally, ensure that if an update does cause an existing POLL_ADD\nto complete, that the completion value isn\u0027t always overwritten with\n-ECANCELED. For that case, whatever io_poll_add() set the value to\nshould just be retained."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:46.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b777ab48441b153502772ecfc78c107d4353f29"
},
{
"url": "https://git.kernel.org/stable/c/0126560370ed5217958b85657b590ad25e8b9c00"
},
{
"url": "https://git.kernel.org/stable/c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe"
},
{
"url": "https://git.kernel.org/stable/c/13a8f7b88c2d40c6b33f6216190478dda95d385f"
},
{
"url": "https://git.kernel.org/stable/c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e"
}
],
"title": "io_uring/poll: correctly handle io_poll_add() return value on update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71149",
"datePublished": "2026-01-23T14:15:15.878Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:46.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71075 (GCVE-0-2025-71075)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: aic94xx: fix use-after-free in device removal path
The asd_pci_remove() function fails to synchronize with pending tasklets
before freeing the asd_ha structure, leading to a potential
use-after-free vulnerability.
When a device removal is triggered (via hot-unplug or module unload),
race condition can occur.
The fix adds tasklet_kill() before freeing the asd_ha structure,
ensuring all scheduled tasklets complete before cleanup proceeds.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 Version: 2908d778ab3e244900c310974e1fc1c69066e450 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/aic94xx/aic94xx_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8f6f88cd1df35155258285c4f43268b361819df",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "278455a82245a572aeb218a6212a416a98e418de",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "b3e655e52b98a1d3df41c8e42035711e083099f8",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "e354793a7ab9bb0934ea699a9d57bcd1b48fc27b",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "a41dc180b6e1229ae49ca290ae14d82101c148c3",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "751c19635c2bfaaf2836a533caa3663633066dcf",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "f6ab594672d4cba08540919a4e6be2e202b60007",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/aic94xx/aic94xx_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aic94xx: fix use-after-free in device removal path\n\nThe asd_pci_remove() function fails to synchronize with pending tasklets\nbefore freeing the asd_ha structure, leading to a potential\nuse-after-free vulnerability.\n\nWhen a device removal is triggered (via hot-unplug or module unload),\nrace condition can occur.\n\nThe fix adds tasklet_kill() before freeing the asd_ha structure,\nensuring all scheduled tasklets complete before cleanup proceeds."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:26.065Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df"
},
{
"url": "https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de"
},
{
"url": "https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8"
},
{
"url": "https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b"
},
{
"url": "https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3"
},
{
"url": "https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf"
},
{
"url": "https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007"
}
],
"title": "scsi: aic94xx: fix use-after-free in device removal path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71075",
"datePublished": "2026-01-13T15:31:28.075Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:26.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71120 (GCVE-0-2025-71120)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5866efa8cbfbadf3905072798e96652faf02dbe8 Version: 5866efa8cbfbadf3905072798e96652faf02dbe8 Version: 5866efa8cbfbadf3905072798e96652faf02dbe8 Version: 5866efa8cbfbadf3905072798e96652faf02dbe8 Version: 5866efa8cbfbadf3905072798e96652faf02dbe8 Version: 5866efa8cbfbadf3905072798e96652faf02dbe8 Version: 5866efa8cbfbadf3905072798e96652faf02dbe8 Version: 66ed7b413d31c6ff23901ac4443b1cc1af2f6113 Version: 7be8c165dc81564705e8e0b72d398ef708f67eaa |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8f1e445ce3545c90d69c9e8ff8f7821825fe810",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "f9e53f69ac3bc4ef568b08d3542edac02e83fefd",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "7452d53f293379e2c38cfa8ad0694aa46fc4788b",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "a2c6f25ab98b423f99ccd94874d655b8bcb01a19",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "1c8bb965e9b0559ff0f5690615a527c30f651dd8",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "d4b69a6186b215d2dc1ebcab965ed88e8d41768d",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"status": "affected",
"version": "66ed7b413d31c6ff23901ac4443b1cc1af2f6113",
"versionType": "git"
},
{
"status": "affected",
"version": "7be8c165dc81564705e8e0b72d398ef708f67eaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token-\u003epages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token-\u003epages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length \u003e 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:15.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810"
},
{
"url": "https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d"
},
{
"url": "https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd"
},
{
"url": "https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b"
},
{
"url": "https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19"
},
{
"url": "https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8"
},
{
"url": "https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d"
}
],
"title": "SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71120",
"datePublished": "2026-01-14T15:06:07.194Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:15.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71196 (GCVE-0-2025-71196)
Vulnerability from cvelistv5
Published
2026-02-04 16:04
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: stm32-usphyc: Fix off by one in probe()
The "index" variable is used as an index into the usbphyc->phys[] array
which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
then it is one element out of bounds. The "index" comes from the
device tree so it's data that we trust and it's unlikely to be wrong,
however it's obviously still worth fixing the bug. Change the > to >=.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 94c358da3a0545205c6c6a50ae26141f1c73acfa Version: 94c358da3a0545205c6c6a50ae26141f1c73acfa Version: 94c358da3a0545205c6c6a50ae26141f1c73acfa Version: 94c358da3a0545205c6c6a50ae26141f1c73acfa Version: 94c358da3a0545205c6c6a50ae26141f1c73acfa Version: 94c358da3a0545205c6c6a50ae26141f1c73acfa Version: 94c358da3a0545205c6c6a50ae26141f1c73acfa |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/st/phy-stm32-usbphyc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9eec890879731c280697fdf1c50699e905b2fa7",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "fb9d513cdf1614bf0f0e785816afb1faae3f81af",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "c06f13876cbad702582cd67fc77356e5524d02cd",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "7c27eaf183563b86d815ff6e9cca0210b4cfa051",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
},
{
"lessThan": "cabd25b57216ddc132efbcc31f972baa03aad15a",
"status": "affected",
"version": "94c358da3a0545205c6c6a50ae26141f1c73acfa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/st/phy-stm32-usbphyc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: stm32-usphyc: Fix off by one in probe()\n\nThe \"index\" variable is used as an index into the usbphyc-\u003ephys[] array\nwhich has usbphyc-\u003enphys elements. So if it is equal to usbphyc-\u003enphys\nthen it is one element out of bounds. The \"index\" comes from the\ndevice tree so it\u0027s data that we trust and it\u0027s unlikely to be wrong,\nhowever it\u0027s obviously still worth fixing the bug. Change the \u003e to \u003e=."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:21.876Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9eec890879731c280697fdf1c50699e905b2fa7"
},
{
"url": "https://git.kernel.org/stable/c/fb9d513cdf1614bf0f0e785816afb1faae3f81af"
},
{
"url": "https://git.kernel.org/stable/c/c06f13876cbad702582cd67fc77356e5524d02cd"
},
{
"url": "https://git.kernel.org/stable/c/76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c"
},
{
"url": "https://git.kernel.org/stable/c/b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad"
},
{
"url": "https://git.kernel.org/stable/c/7c27eaf183563b86d815ff6e9cca0210b4cfa051"
},
{
"url": "https://git.kernel.org/stable/c/cabd25b57216ddc132efbcc31f972baa03aad15a"
}
],
"title": "phy: stm32-usphyc: Fix off by one in probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71196",
"datePublished": "2026-02-04T16:04:17.141Z",
"dateReserved": "2026-01-31T11:36:51.191Z",
"dateUpdated": "2026-02-09T08:36:21.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68244 (GCVE-0-2025-68244)
Vulnerability from cvelistv5
Published
2025-12-16 14:21
Modified
2025-12-16 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
On completion of i915_vma_pin_ww(), a synchronous variant of
dma_fence_work_commit() is called. When pinning a VMA to GGTT address
space on a Cherry View family processor, or on a Broxton generation SoC
with VTD enabled, i.e., when stop_machine() is then called from
intel_ggtt_bind_vma(), that can potentially lead to lock inversion among
reservation_ww and cpu_hotplug locks.
[86.861179] ======================================================
[86.861193] WARNING: possible circular locking dependency detected
[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U
[86.861226] ------------------------------------------------------
[86.861238] i915_module_loa/1432 is trying to acquire lock:
[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50
[86.861290]
but task is already holding lock:
[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]
[86.862233]
which lock already depends on the new lock.
[86.862251]
the existing dependency chain (in reverse order) is:
[86.862265]
-> #5 (reservation_ww_class_mutex){+.+.}-{3:3}:
[86.862292] dma_resv_lockdep+0x19a/0x390
[86.862315] do_one_initcall+0x60/0x3f0
[86.862334] kernel_init_freeable+0x3cd/0x680
[86.862353] kernel_init+0x1b/0x200
[86.862369] ret_from_fork+0x47/0x70
[86.862383] ret_from_fork_asm+0x1a/0x30
[86.862399]
-> #4 (reservation_ww_class_acquire){+.+.}-{0:0}:
[86.862425] dma_resv_lockdep+0x178/0x390
[86.862440] do_one_initcall+0x60/0x3f0
[86.862454] kernel_init_freeable+0x3cd/0x680
[86.862470] kernel_init+0x1b/0x200
[86.862482] ret_from_fork+0x47/0x70
[86.862495] ret_from_fork_asm+0x1a/0x30
[86.862509]
-> #3 (&mm->mmap_lock){++++}-{3:3}:
[86.862531] down_read_killable+0x46/0x1e0
[86.862546] lock_mm_and_find_vma+0xa2/0x280
[86.862561] do_user_addr_fault+0x266/0x8e0
[86.862578] exc_page_fault+0x8a/0x2f0
[86.862593] asm_exc_page_fault+0x27/0x30
[86.862607] filldir64+0xeb/0x180
[86.862620] kernfs_fop_readdir+0x118/0x480
[86.862635] iterate_dir+0xcf/0x2b0
[86.862648] __x64_sys_getdents64+0x84/0x140
[86.862661] x64_sys_call+0x1058/0x2660
[86.862675] do_syscall_64+0x91/0xe90
[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[86.862703]
-> #2 (&root->kernfs_rwsem){++++}-{3:3}:
[86.862725] down_write+0x3e/0xf0
[86.862738] kernfs_add_one+0x30/0x3c0
[86.862751] kernfs_create_dir_ns+0x53/0xb0
[86.862765] internal_create_group+0x134/0x4c0
[86.862779] sysfs_create_group+0x13/0x20
[86.862792] topology_add_dev+0x1d/0x30
[86.862806] cpuhp_invoke_callback+0x4b5/0x850
[86.862822] cpuhp_issue_call+0xbf/0x1f0
[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320
[86.862852] __cpuhp_setup_state+0xb0/0x220
[86.862866] topology_sysfs_init+0x30/0x50
[86.862879] do_one_initcall+0x60/0x3f0
[86.862893] kernel_init_freeable+0x3cd/0x680
[86.862908] kernel_init+0x1b/0x200
[86.862921] ret_from_fork+0x47/0x70
[86.862934] ret_from_fork_asm+0x1a/0x30
[86.862947]
-> #1 (cpuhp_state_mutex){+.+.}-{3:3}:
[86.862969] __mutex_lock+0xaa/0xed0
[86.862982] mutex_lock_nested+0x1b/0x30
[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320
[86.863012] __cpuhp_setup_state+0xb0/0x220
[86.863026] page_alloc_init_cpuhp+0x2d/0x60
[86.863041] mm_core_init+0x22/0x2d0
[86.863054] start_kernel+0x576/0xbd0
[86.863068] x86_64_start_reservations+0x18/0x30
[86.863084] x86_64_start_kernel+0xbf/0x110
[86.863098] common_startup_64+0x13e/0x141
[86.863114]
-> #0 (cpu_hotplug_lock){++++}-{0:0}:
[86.863135] __lock_acquire+0x16
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7d1c2618eac590d948eb33b9807d913ddb6e105f Version: 7d1c2618eac590d948eb33b9807d913ddb6e105f Version: 7d1c2618eac590d948eb33b9807d913ddb6e105f Version: 7d1c2618eac590d948eb33b9807d913ddb6e105f Version: 7d1c2618eac590d948eb33b9807d913ddb6e105f Version: 7d1c2618eac590d948eb33b9807d913ddb6e105f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_vma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e988634d7aae7214818b9c86cd7ef9e78c84b02d",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "20d94a6117b752fd10a78cefdc1cf2c16706048b",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "3dec22bde207a36f1b8a4b80564cbbe13996a7cd",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "4e73066e3323add260e46eb51f79383d87950281",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "858a50127be714f55c3bcb25621028d4a323d77e",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_vma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD\n\nOn completion of i915_vma_pin_ww(), a synchronous variant of\ndma_fence_work_commit() is called. When pinning a VMA to GGTT address\nspace on a Cherry View family processor, or on a Broxton generation SoC\nwith VTD enabled, i.e., when stop_machine() is then called from\nintel_ggtt_bind_vma(), that can potentially lead to lock inversion among\nreservation_ww and cpu_hotplug locks.\n\n[86.861179] ======================================================\n[86.861193] WARNING: possible circular locking dependency detected\n[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U\n[86.861226] ------------------------------------------------------\n[86.861238] i915_module_loa/1432 is trying to acquire lock:\n[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50\n[86.861290]\nbut task is already holding lock:\n[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]\n[86.862233]\nwhich lock already depends on the new lock.\n[86.862251]\nthe existing dependency chain (in reverse order) is:\n[86.862265]\n-\u003e #5 (reservation_ww_class_mutex){+.+.}-{3:3}:\n[86.862292] dma_resv_lockdep+0x19a/0x390\n[86.862315] do_one_initcall+0x60/0x3f0\n[86.862334] kernel_init_freeable+0x3cd/0x680\n[86.862353] kernel_init+0x1b/0x200\n[86.862369] ret_from_fork+0x47/0x70\n[86.862383] ret_from_fork_asm+0x1a/0x30\n[86.862399]\n-\u003e #4 (reservation_ww_class_acquire){+.+.}-{0:0}:\n[86.862425] dma_resv_lockdep+0x178/0x390\n[86.862440] do_one_initcall+0x60/0x3f0\n[86.862454] kernel_init_freeable+0x3cd/0x680\n[86.862470] kernel_init+0x1b/0x200\n[86.862482] ret_from_fork+0x47/0x70\n[86.862495] ret_from_fork_asm+0x1a/0x30\n[86.862509]\n-\u003e #3 (\u0026mm-\u003emmap_lock){++++}-{3:3}:\n[86.862531] down_read_killable+0x46/0x1e0\n[86.862546] lock_mm_and_find_vma+0xa2/0x280\n[86.862561] do_user_addr_fault+0x266/0x8e0\n[86.862578] exc_page_fault+0x8a/0x2f0\n[86.862593] asm_exc_page_fault+0x27/0x30\n[86.862607] filldir64+0xeb/0x180\n[86.862620] kernfs_fop_readdir+0x118/0x480\n[86.862635] iterate_dir+0xcf/0x2b0\n[86.862648] __x64_sys_getdents64+0x84/0x140\n[86.862661] x64_sys_call+0x1058/0x2660\n[86.862675] do_syscall_64+0x91/0xe90\n[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[86.862703]\n-\u003e #2 (\u0026root-\u003ekernfs_rwsem){++++}-{3:3}:\n[86.862725] down_write+0x3e/0xf0\n[86.862738] kernfs_add_one+0x30/0x3c0\n[86.862751] kernfs_create_dir_ns+0x53/0xb0\n[86.862765] internal_create_group+0x134/0x4c0\n[86.862779] sysfs_create_group+0x13/0x20\n[86.862792] topology_add_dev+0x1d/0x30\n[86.862806] cpuhp_invoke_callback+0x4b5/0x850\n[86.862822] cpuhp_issue_call+0xbf/0x1f0\n[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320\n[86.862852] __cpuhp_setup_state+0xb0/0x220\n[86.862866] topology_sysfs_init+0x30/0x50\n[86.862879] do_one_initcall+0x60/0x3f0\n[86.862893] kernel_init_freeable+0x3cd/0x680\n[86.862908] kernel_init+0x1b/0x200\n[86.862921] ret_from_fork+0x47/0x70\n[86.862934] ret_from_fork_asm+0x1a/0x30\n[86.862947]\n-\u003e #1 (cpuhp_state_mutex){+.+.}-{3:3}:\n[86.862969] __mutex_lock+0xaa/0xed0\n[86.862982] mutex_lock_nested+0x1b/0x30\n[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320\n[86.863012] __cpuhp_setup_state+0xb0/0x220\n[86.863026] page_alloc_init_cpuhp+0x2d/0x60\n[86.863041] mm_core_init+0x22/0x2d0\n[86.863054] start_kernel+0x576/0xbd0\n[86.863068] x86_64_start_reservations+0x18/0x30\n[86.863084] x86_64_start_kernel+0xbf/0x110\n[86.863098] common_startup_64+0x13e/0x141\n[86.863114]\n-\u003e #0 (cpu_hotplug_lock){++++}-{0:0}:\n[86.863135] __lock_acquire+0x16\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:21:21.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e988634d7aae7214818b9c86cd7ef9e78c84b02d"
},
{
"url": "https://git.kernel.org/stable/c/20d94a6117b752fd10a78cefdc1cf2c16706048b"
},
{
"url": "https://git.kernel.org/stable/c/3dec22bde207a36f1b8a4b80564cbbe13996a7cd"
},
{
"url": "https://git.kernel.org/stable/c/4e73066e3323add260e46eb51f79383d87950281"
},
{
"url": "https://git.kernel.org/stable/c/858a50127be714f55c3bcb25621028d4a323d77e"
},
{
"url": "https://git.kernel.org/stable/c/84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b"
}
],
"title": "drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68244",
"datePublished": "2025-12-16T14:21:21.277Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:21:21.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39973 (GCVE-0-2025-39973)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: add validation for ring_len param
The `ring_len` parameter provided by the virtual function (VF)
is assigned directly to the hardware memory context (HMC) without
any validation.
To address this, introduce an upper boundary check for both Tx and Rx
queue lengths. The maximum number of descriptors supported by the
hardware is 8k-32.
Additionally, enforce alignment constraints: Tx rings must be a multiple
of 8, and Rx rings must be a multiple of 32.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd Version: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0543d40d6513cdf1c7882811086e59a6455dfe97",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "d3b0d3f8d11fa957171fbb186e53998361a88d4e",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "c0c83f4cd074b75cecef107bfc349be7d516c9c4",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "05fe81fb9db20464fa532a3835dc8300d68a2f84",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "afec12adab55d10708179a64d95d650741e60fe0",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
},
{
"lessThan": "55d225670def06b01af2e7a5e0446fbe946289e8",
"status": "affected",
"version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add validation for ring_len param\n\nThe `ring_len` parameter provided by the virtual function (VF)\nis assigned directly to the hardware memory context (HMC) without\nany validation.\n\nTo address this, introduce an upper boundary check for both Tx and Rx\nqueue lengths. The maximum number of descriptors supported by the\nhardware is 8k-32.\nAdditionally, enforce alignment constraints: Tx rings must be a multiple\nof 8, and Rx rings must be a multiple of 32."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:55.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0543d40d6513cdf1c7882811086e59a6455dfe97"
},
{
"url": "https://git.kernel.org/stable/c/7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9"
},
{
"url": "https://git.kernel.org/stable/c/45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985"
},
{
"url": "https://git.kernel.org/stable/c/d3b0d3f8d11fa957171fbb186e53998361a88d4e"
},
{
"url": "https://git.kernel.org/stable/c/c0c83f4cd074b75cecef107bfc349be7d516c9c4"
},
{
"url": "https://git.kernel.org/stable/c/05fe81fb9db20464fa532a3835dc8300d68a2f84"
},
{
"url": "https://git.kernel.org/stable/c/afec12adab55d10708179a64d95d650741e60fe0"
},
{
"url": "https://git.kernel.org/stable/c/55d225670def06b01af2e7a5e0446fbe946289e8"
}
],
"title": "i40e: add validation for ring_len param",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39973",
"datePublished": "2025-10-15T07:55:55.590Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:55.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-71109 (GCVE-0-2025-71109)
Vulnerability from cvelistv5
Published
2026-01-14 15:05
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of
dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used,
and this macro can generate more than 2 instructions. At the same
time, the code in ftrace assumes that no more than 2 instructions can
be generated, which is why it stores them in an int[2] array. However,
as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA)
causes a buffer overflow when _mcount is beyond 32 bits. This leads to
corruption of the variables located in the __read_mostly section.
This corruption was observed because the variable
__cpu_primary_thread_mask was corrupted, causing a hang very early
during boot.
This fix prevents the corruption by avoiding the generation of
instructions if they could exceed 2 instructions in
length. Fortunately, insn_la_mcount is only used if the instrumented
code is located outside the kernel code section, so dynamic ftrace can
still be used, albeit in a more limited scope. This is still
preferable to corrupting memory and/or crashing the kernel.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/mips/kernel/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3e33ac2eb69d595079a1a1e444c2fb98efdd42d",
"status": "affected",
"version": "e424054000878d7eb11e44289242886d6e219d22",
"versionType": "git"
},
{
"lessThan": "7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150",
"status": "affected",
"version": "e424054000878d7eb11e44289242886d6e219d22",
"versionType": "git"
},
{
"lessThan": "36dac9a3dda1f2bae343191bc16b910c603cac25",
"status": "affected",
"version": "e424054000878d7eb11e44289242886d6e219d22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/mips/kernel/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits\n\nSince commit e424054000878 (\"MIPS: Tracing: Reduce the overhead of\ndynamic Function Tracer\"), the macro UASM_i_LA_mostly has been used,\nand this macro can generate more than 2 instructions. At the same\ntime, the code in ftrace assumes that no more than 2 instructions can\nbe generated, which is why it stores them in an int[2] array. However,\nas previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA)\ncauses a buffer overflow when _mcount is beyond 32 bits. This leads to\ncorruption of the variables located in the __read_mostly section.\n\nThis corruption was observed because the variable\n__cpu_primary_thread_mask was corrupted, causing a hang very early\nduring boot.\n\nThis fix prevents the corruption by avoiding the generation of\ninstructions if they could exceed 2 instructions in\nlength. Fortunately, insn_la_mcount is only used if the instrumented\ncode is located outside the kernel code section, so dynamic ftrace can\nstill be used, albeit in a more limited scope. This is still\npreferable to corrupting memory and/or crashing the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:03.334Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3e33ac2eb69d595079a1a1e444c2fb98efdd42d"
},
{
"url": "https://git.kernel.org/stable/c/7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150"
},
{
"url": "https://git.kernel.org/stable/c/36dac9a3dda1f2bae343191bc16b910c603cac25"
}
],
"title": "MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71109",
"datePublished": "2026-01-14T15:05:57.236Z",
"dateReserved": "2026-01-13T15:30:19.652Z",
"dateUpdated": "2026-02-09T08:35:03.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68332 (GCVE-0-2025-68332)
Vulnerability from cvelistv5
Published
2025-12-22 16:14
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: c6xdigio: Fix invalid PNP driver unregistration
The Comedi low-level driver "c6xdigio" seems to be for a parallel port
connected device. When the Comedi core calls the driver's Comedi
"attach" handler `c6xdigio_attach()` to configure a Comedi to use this
driver, it tries to enable the parallel port PNP resources by
registering a PNP driver with `pnp_register_driver()`, but ignores the
return value. (The `struct pnp_driver` it uses has only the `name` and
`id_table` members filled in.) The driver's Comedi "detach" handler
`c6xdigio_detach()` unconditionally unregisters the PNP driver with
`pnp_unregister_driver()`.
It is possible for `c6xdigio_attach()` to return an error before it
calls `pnp_register_driver()` and it is possible for the call to
`pnp_register_driver()` to return an error (that is ignored). In both
cases, the driver should not be calling `pnp_unregister_driver()` as it
does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be
called by the Comedi core if `c6xdigio_attach()` returns an error, or if
the Comedi core decides to detach the Comedi device from the driver for
some other reason.)
The unconditional call to `pnp_unregister_driver()` without a previous
successful call to `pnp_register_driver()` will cause
`driver_unregister()` to issue a warning "Unexpected driver
unregister!". This was detected by Syzbot [1].
Also, the PNP driver registration and unregistration should be done at
module init and exit time, respectively, not when attaching or detaching
Comedi devices to the driver. (There might be more than one Comedi
device being attached to the driver, although that is unlikely.)
Change the driver to do the PNP driver registration at module init time,
and the unregistration at module exit time. Since `c6xdigio_detach()`
now only calls `comedi_legacy_detach()`, remove the function and change
the Comedi driver "detach" handler to `comedi_legacy_detach`.
-------------------------------------------
[1] Syzbot sample crash report:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Modules linked in:
CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]
RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41
RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8
RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000
FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0
Call Trace:
<TASK>
comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011
do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872
comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_sys
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2c89e159cd2f386285e9522d6476dd7e801bee22 Version: 2c89e159cd2f386285e9522d6476dd7e801bee22 Version: 2c89e159cd2f386285e9522d6476dd7e801bee22 Version: 2c89e159cd2f386285e9522d6476dd7e801bee22 Version: 2c89e159cd2f386285e9522d6476dd7e801bee22 Version: 2c89e159cd2f386285e9522d6476dd7e801bee22 Version: 2c89e159cd2f386285e9522d6476dd7e801bee22 Version: 2c89e159cd2f386285e9522d6476dd7e801bee22 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "407b25bb9284d69c27309e691ab1e02f9e1c46ac",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "f7fa1f4670c3c358a451546f0b80b9231952912d",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "e8110402b0c24d822b0b933d87d50870d59667ef",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72b3627b0d3b819de49b29c2c8cb1c64d54536b9",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "698149d797d0178162f394c55d4ed52aa0e0b7f6",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "888f7e2847bcb9df8257e656e1e837828942c53b",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72262330f7b3ad2130e800cecf02adcce3c32c77",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\n\nThe Comedi low-level driver \"c6xdigio\" seems to be for a parallel port\nconnected device. When the Comedi core calls the driver\u0027s Comedi\n\"attach\" handler `c6xdigio_attach()` to configure a Comedi to use this\ndriver, it tries to enable the parallel port PNP resources by\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\nreturn value. (The `struct pnp_driver` it uses has only the `name` and\n`id_table` members filled in.) The driver\u0027s Comedi \"detach\" handler\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\n`pnp_unregister_driver()`.\n\nIt is possible for `c6xdigio_attach()` to return an error before it\ncalls `pnp_register_driver()` and it is possible for the call to\n`pnp_register_driver()` to return an error (that is ignored). In both\ncases, the driver should not be calling `pnp_unregister_driver()` as it\ndoes in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\nthe Comedi core decides to detach the Comedi device from the driver for\nsome other reason.)\n\nThe unconditional call to `pnp_unregister_driver()` without a previous\nsuccessful call to `pnp_register_driver()` will cause\n`driver_unregister()` to issue a warning \"Unexpected driver\nunregister!\". This was detected by Syzbot [1].\n\nAlso, the PNP driver registration and unregistration should be done at\nmodule init and exit time, respectively, not when attaching or detaching\nComedi devices to the driver. (There might be more than one Comedi\ndevice being attached to the driver, although that is unlikely.)\n\nChange the driver to do the PNP driver registration at module init time,\nand the unregistration at module exit time. Since `c6xdigio_detach()`\nnow only calls `comedi_legacy_detach()`, remove the function and change\nthe Comedi driver \"detach\" handler to `comedi_legacy_detach`.\n\n-------------------------------------------\n[1] Syzbot sample crash report:\nUnexpected driver unregister!\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nModules linked in:\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 \u003c0f\u003e 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\nFS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_sys\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:28.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/407b25bb9284d69c27309e691ab1e02f9e1c46ac"
},
{
"url": "https://git.kernel.org/stable/c/f7fa1f4670c3c358a451546f0b80b9231952912d"
},
{
"url": "https://git.kernel.org/stable/c/e8110402b0c24d822b0b933d87d50870d59667ef"
},
{
"url": "https://git.kernel.org/stable/c/72b3627b0d3b819de49b29c2c8cb1c64d54536b9"
},
{
"url": "https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072"
},
{
"url": "https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6"
},
{
"url": "https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b"
},
{
"url": "https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77"
}
],
"title": "comedi: c6xdigio: Fix invalid PNP driver unregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68332",
"datePublished": "2025-12-22T16:14:10.146Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-02-09T08:31:28.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68817 (GCVE-0-2025-68817)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
Under high concurrency, A tree-connection object (tcon) is freed on
a disconnect path while another path still holds a reference and later
executes *_put()/write on it.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dd45db4d9bbc8f122a9b4db5ce94ae29fcf03d3c Version: 7b58ee8d0b91359554cf219cd4f33872ea2afd66 Version: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e Version: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e Version: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e Version: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/tree_connect.c",
"fs/smb/server/mgmt/tree_connect.h",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "446beed646b2e426dd53d27358365f8678e1dd01",
"status": "affected",
"version": "dd45db4d9bbc8f122a9b4db5ce94ae29fcf03d3c",
"versionType": "git"
},
{
"lessThan": "d092de8a26c952379ded8e6b0bda31d89befac1a",
"status": "affected",
"version": "7b58ee8d0b91359554cf219cd4f33872ea2afd66",
"versionType": "git"
},
{
"lessThan": "d64977495e44855f2b28d8ce56107c963a7a50e4",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "21a3d01fc6db5129f81edb0ab7cb94fd758bcbea",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "063cbbc6f595ea36ad146e1b7d2af820894beb21",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "b39a1833cc4a2755b02603eec3a71a85e9dff926",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/tree_connect.c",
"fs/smb/server/mgmt/tree_connect.h",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency\n\nUnder high concurrency, A tree-connection object (tcon) is freed on\na disconnect path while another path still holds a reference and later\nexecutes *_put()/write on it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:07.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/446beed646b2e426dd53d27358365f8678e1dd01"
},
{
"url": "https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a"
},
{
"url": "https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4"
},
{
"url": "https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea"
},
{
"url": "https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21"
},
{
"url": "https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926"
}
],
"title": "ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68817",
"datePublished": "2026-01-13T15:29:21.210Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-09T08:34:07.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40254 (GCVE-0-2025-40254)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: remove never-working support for setting nsh fields
The validation of the set(nsh(...)) action is completely wrong.
It runs through the nsh_key_put_from_nlattr() function that is the
same function that validates NSH keys for the flow match and the
push_nsh() action. However, the set(nsh(...)) has a very different
memory layout. Nested attributes in there are doubled in size in
case of the masked set(). That makes proper validation impossible.
There is also confusion in the code between the 'masked' flag, that
says that the nested attributes are doubled in size containing both
the value and the mask, and the 'is_mask' that says that the value
we're parsing is the mask. This is causing kernel crash on trying to
write into mask part of the match with SW_FLOW_KEY_PUT() during
validation, while validate_nsh() doesn't allocate any memory for it:
BUG: kernel NULL pointer dereference, address: 0000000000000018
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)
RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]
Call Trace:
<TASK>
validate_nsh+0x60/0x90 [openvswitch]
validate_set.constprop.0+0x270/0x3c0 [openvswitch]
__ovs_nla_copy_actions+0x477/0x860 [openvswitch]
ovs_nla_copy_actions+0x8d/0x100 [openvswitch]
ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]
genl_family_rcv_msg_doit+0xdb/0x130
genl_family_rcv_msg+0x14b/0x220
genl_rcv_msg+0x47/0xa0
netlink_rcv_skb+0x53/0x100
genl_rcv+0x24/0x40
netlink_unicast+0x280/0x3b0
netlink_sendmsg+0x1f7/0x430
____sys_sendmsg+0x36b/0x3a0
___sys_sendmsg+0x87/0xd0
__sys_sendmsg+0x6d/0xd0
do_syscall_64+0x7b/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The third issue with this process is that while trying to convert
the non-masked set into masked one, validate_set() copies and doubles
the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested
attributes. It should be copying each nested attribute and doubling
them in size independently. And the process must be properly reversed
during the conversion back from masked to a non-masked variant during
the flow dump.
In the end, the only two outcomes of trying to use this action are
either validation failure or a kernel crash. And if somehow someone
manages to install a flow with such an action, it will most definitely
not do what it is supposed to, since all the keys and the masks are
mixed up.
Fixing all the issues is a complex task as it requires re-writing
most of the validation code.
Given that and the fact that this functionality never worked since
introduction, let's just remove it altogether. It's better to
re-introduce it later with a proper implementation instead of trying
to fix it in stable releases.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 Version: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/actions.c",
"net/openvswitch/flow_netlink.c",
"net/openvswitch/flow_netlink.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3415faa1fcb4150f29a72c5ecf959339d797feb7",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "3d2e7d3b28469081ccf08301df07cc411a1cc5e9",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "f95bef5ba0b88d971b02c776f24bd17544930a3a",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "87d2429381ddcf8cbd30c8c36793a4f7916d5f99",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "0b903f33c31c82b1c3591279fd8a23893802b987",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "9c61d8fe1350b7322f4953318165d6719c3b1475",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "4689ba45296dbb3a47e70a1bc2ed0328263e48f3",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "dfe28c4167a9259fc0c372d9f9473e1ac95cff67",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/actions.c",
"net/openvswitch/flow_netlink.c",
"net/openvswitch/flow_netlink.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: remove never-working support for setting nsh fields\n\nThe validation of the set(nsh(...)) action is completely wrong.\nIt runs through the nsh_key_put_from_nlattr() function that is the\nsame function that validates NSH keys for the flow match and the\npush_nsh() action. However, the set(nsh(...)) has a very different\nmemory layout. Nested attributes in there are doubled in size in\ncase of the masked set(). That makes proper validation impossible.\n\nThere is also confusion in the code between the \u0027masked\u0027 flag, that\nsays that the nested attributes are doubled in size containing both\nthe value and the mask, and the \u0027is_mask\u0027 that says that the value\nwe\u0027re parsing is the mask. This is causing kernel crash on trying to\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\nvalidation, while validate_nsh() doesn\u0027t allocate any memory for it:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\n RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\n Call Trace:\n \u003cTASK\u003e\n validate_nsh+0x60/0x90 [openvswitch]\n validate_set.constprop.0+0x270/0x3c0 [openvswitch]\n __ovs_nla_copy_actions+0x477/0x860 [openvswitch]\n ovs_nla_copy_actions+0x8d/0x100 [openvswitch]\n ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\n genl_family_rcv_msg_doit+0xdb/0x130\n genl_family_rcv_msg+0x14b/0x220\n genl_rcv_msg+0x47/0xa0\n netlink_rcv_skb+0x53/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x280/0x3b0\n netlink_sendmsg+0x1f7/0x430\n ____sys_sendmsg+0x36b/0x3a0\n ___sys_sendmsg+0x87/0xd0\n __sys_sendmsg+0x6d/0xd0\n do_syscall_64+0x7b/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe third issue with this process is that while trying to convert\nthe non-masked set into masked one, validate_set() copies and doubles\nthe size of the OVS_KEY_ATTR_NSH as if it didn\u0027t have any nested\nattributes. It should be copying each nested attribute and doubling\nthem in size independently. And the process must be properly reversed\nduring the conversion back from masked to a non-masked variant during\nthe flow dump.\n\nIn the end, the only two outcomes of trying to use this action are\neither validation failure or a kernel crash. And if somehow someone\nmanages to install a flow with such an action, it will most definitely\nnot do what it is supposed to, since all the keys and the masks are\nmixed up.\n\nFixing all the issues is a complex task as it requires re-writing\nmost of the validation code.\n\nGiven that and the fact that this functionality never worked since\nintroduction, let\u0027s just remove it altogether. It\u0027s better to\nre-introduce it later with a proper implementation instead of trying\nto fix it in stable releases."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:52.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7"
},
{
"url": "https://git.kernel.org/stable/c/3d2e7d3b28469081ccf08301df07cc411a1cc5e9"
},
{
"url": "https://git.kernel.org/stable/c/f95bef5ba0b88d971b02c776f24bd17544930a3a"
},
{
"url": "https://git.kernel.org/stable/c/87d2429381ddcf8cbd30c8c36793a4f7916d5f99"
},
{
"url": "https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987"
},
{
"url": "https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475"
},
{
"url": "https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3"
},
{
"url": "https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67"
}
],
"title": "net: openvswitch: remove never-working support for setting nsh fields",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40254",
"datePublished": "2025-12-04T16:08:16.305Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:52.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68255 (GCVE-0-2025-68255)
Vulnerability from cvelistv5
Published
2025-12-16 14:44
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.
Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.
This prevents kernel stack corruption triggered by malformed association
requests.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b Version: 554c0a3abf216c991c5ebddcdb2c08689ecd290b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49b7806851f93fd342838c93f4f765e0cc5029b0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "4445adedae770037078803d1ce41f9e88a1944b6",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "34620eb602aa432f090b2b784ee5c5070fb16cf9",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "61871c83259a511980ec2664964cecc69005398b",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "25411f5fcf5743131158f337c99c2bbf3f8477f5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "e841d8ea722315b781c4fc5bf4f7670fbca88875",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "6ef0e1c10455927867cac8f0ed6b49f328f8cf95",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing\n\nThe Supported Rates IE length from an incoming Association Request frame\nwas used directly as the memcpy() length when copying into a fixed-size\n16-byte stack buffer (supportRate). A malicious station can advertise an\nIE length larger than 16 bytes, causing a stack buffer overflow.\n\nClamp ie_len to the buffer size before copying the Supported Rates IE,\nand correct the bounds check when merging Extended Supported Rates to\nprevent a second potential overflow.\n\nThis prevents kernel stack corruption triggered by malformed association\nrequests."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:08.339Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49b7806851f93fd342838c93f4f765e0cc5029b0"
},
{
"url": "https://git.kernel.org/stable/c/4445adedae770037078803d1ce41f9e88a1944b6"
},
{
"url": "https://git.kernel.org/stable/c/d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0"
},
{
"url": "https://git.kernel.org/stable/c/34620eb602aa432f090b2b784ee5c5070fb16cf9"
},
{
"url": "https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b"
},
{
"url": "https://git.kernel.org/stable/c/25411f5fcf5743131158f337c99c2bbf3f8477f5"
},
{
"url": "https://git.kernel.org/stable/c/e841d8ea722315b781c4fc5bf4f7670fbca88875"
},
{
"url": "https://git.kernel.org/stable/c/6ef0e1c10455927867cac8f0ed6b49f328f8cf95"
}
],
"title": "staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68255",
"datePublished": "2025-12-16T14:44:58.031Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:08.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23411 (GCVE-0-2026-23411)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix race between freeing data and fs accessing it
AppArmor was putting the reference to i_private data on its end after
removing the original entry from the file system. However the inode
can aand does live beyond that point and it is possible that some of
the fs call back functions will be invoked after the reference has
been put, which results in a race between freeing the data and
accessing it through the fs.
While the rawdata/loaddata is the most likely candidate to fail the
race, as it has the fewest references. If properly crafted it might be
possible to trigger a race for the other types stored in i_private.
Fix this by moving the put of i_private referenced data to the correct
place which is during inode eviction.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c961ee5f21b202dea60b63eeef945730d92e46a6 Version: c961ee5f21b202dea60b63eeef945730d92e46a6 Version: c961ee5f21b202dea60b63eeef945730d92e46a6 Version: c961ee5f21b202dea60b63eeef945730d92e46a6 Version: c961ee5f21b202dea60b63eeef945730d92e46a6 Version: c961ee5f21b202dea60b63eeef945730d92e46a6 Version: c961ee5f21b202dea60b63eeef945730d92e46a6 Version: c961ee5f21b202dea60b63eeef945730d92e46a6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/label.h",
"security/apparmor/include/lib.h",
"security/apparmor/include/policy.h",
"security/apparmor/include/policy_unpack.h",
"security/apparmor/label.c",
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a92c5e5086a87d082696245a8607666da3d80554",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "667df93769c02ff581c77d2d8f162147e719c557",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "3ddb961d2929bbb3204a2bba21b5d8153cd3f7cc",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "ae10787d955fb255d381e0d5589451dd72c614b1",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "eecce026399917f6efa532c56bc7a3e9dd6ee68b",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "13bc2772414d68e94e273dea013181a986948ddf",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "2a732ed26fbd048e7925d227af8cf9ea43fb5cc9",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "8e135b8aee5a06c52a4347a5a6d51223c6f36ba3",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/label.h",
"security/apparmor/include/lib.h",
"security/apparmor/include/policy.h",
"security/apparmor/include/policy_unpack.h",
"security/apparmor/label.c",
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race between freeing data and fs accessing it\n\nAppArmor was putting the reference to i_private data on its end after\nremoving the original entry from the file system. However the inode\ncan aand does live beyond that point and it is possible that some of\nthe fs call back functions will be invoked after the reference has\nbeen put, which results in a race between freeing the data and\naccessing it through the fs.\n\nWhile the rawdata/loaddata is the most likely candidate to fail the\nrace, as it has the fewest references. If properly crafted it might be\npossible to trigger a race for the other types stored in i_private.\n\nFix this by moving the put of i_private referenced data to the correct\nplace which is during inode eviction."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:47.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a92c5e5086a87d082696245a8607666da3d80554"
},
{
"url": "https://git.kernel.org/stable/c/667df93769c02ff581c77d2d8f162147e719c557"
},
{
"url": "https://git.kernel.org/stable/c/3ddb961d2929bbb3204a2bba21b5d8153cd3f7cc"
},
{
"url": "https://git.kernel.org/stable/c/ae10787d955fb255d381e0d5589451dd72c614b1"
},
{
"url": "https://git.kernel.org/stable/c/eecce026399917f6efa532c56bc7a3e9dd6ee68b"
},
{
"url": "https://git.kernel.org/stable/c/13bc2772414d68e94e273dea013181a986948ddf"
},
{
"url": "https://git.kernel.org/stable/c/2a732ed26fbd048e7925d227af8cf9ea43fb5cc9"
},
{
"url": "https://git.kernel.org/stable/c/8e135b8aee5a06c52a4347a5a6d51223c6f36ba3"
}
],
"title": "apparmor: fix race between freeing data and fs accessing it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23411",
"datePublished": "2026-04-01T08:36:39.819Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-18T08:58:47.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23105 (GCVE-0-2026-23105)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-04-03 13:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
This is more of a preventive patch to make the code more consistent and
to prevent possible exploits that employ child qlen manipulations on qfq.
use cl_is_active instead of relying on the child qdisc's qlen to determine
class activation.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fac2c67bb2bb732eae4283e45fc338af7e08c254",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "b8c24cf5268fb3bfb8d16324c3dbb985f698c835",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "f27047abf7cac1b6f90c3ad60de21ef9f717c26d",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "93b8635974fb050c43d07e35e5edfe6e685ca28a",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "abd9fc26ea577561a5ef6241a1b058755ffdad0c",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "77f1afd0bb4d5da95236f6114e6d0dfcde187ff6",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "d837fbee92453fbb829f950c8e7cf76207d73f33",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag\n\nThis is more of a preventive patch to make the code more consistent and\nto prevent possible exploits that employ child qlen manipulations on qfq.\nuse cl_is_active instead of relying on the child qdisc\u0027s qlen to determine\nclass activation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:31:57.984Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fac2c67bb2bb732eae4283e45fc338af7e08c254"
},
{
"url": "https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835"
},
{
"url": "https://git.kernel.org/stable/c/f27047abf7cac1b6f90c3ad60de21ef9f717c26d"
},
{
"url": "https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a"
},
{
"url": "https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c"
},
{
"url": "https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6"
},
{
"url": "https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33"
}
],
"title": "net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23105",
"datePublished": "2026-02-04T16:08:26.376Z",
"dateReserved": "2026-01-13T15:37:45.966Z",
"dateUpdated": "2026-04-03T13:31:57.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68241 (GCVE-0-2025-68241)
Vulnerability from cvelistv5
Published
2025-12-16 14:21
Modified
2025-12-16 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
The sit driver's packet transmission path calls: sit_tunnel_xmit() ->
update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called
to delete entries exceeding FNHE_RECLAIM_DEPTH+random.
The race window is between fnhe_remove_oldest() selecting fnheX for
deletion and the subsequent kfree_rcu(). During this time, the
concurrent path's __mkroute_output() -> find_exception() can fetch the
soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a
new dst using a dst_hold(). When the original fnheX is freed via RCU,
the dst reference remains permanently leaked.
CPU 0 CPU 1
__mkroute_output()
find_exception() [fnheX]
update_or_create_fnhe()
fnhe_remove_oldest() [fnheX]
rt_bind_exception() [bind dst]
RCU callback [fnheX freed, dst leak]
This issue manifests as a device reference count leak and a warning in
dmesg when unregistering the net device:
unregister_netdevice: waiting for sitX to become free. Usage count = N
Ido Schimmel provided the simple test validation method [1].
The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().
Since rt_bind_exception() checks this field, setting it to zero prevents
the stale fnhe from being reused and bound to a new dst just before it
is freed.
[1]
ip netns add ns1
ip -n ns1 link set dev lo up
ip -n ns1 address add 192.0.2.1/32 dev lo
ip -n ns1 link add name dummy1 up type dummy
ip -n ns1 route add 192.0.2.2/32 dev dummy1
ip -n ns1 link add name gretap1 up arp off type gretap \
local 192.0.2.1 remote 192.0.2.2
ip -n ns1 route add 198.51.0.0/16 dev gretap1
taskset -c 0 ip netns exec ns1 mausezahn gretap1 \
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
taskset -c 2 ip netns exec ns1 mausezahn gretap1 \
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
sleep 10
ip netns pids ns1 | xargs kill
ip netns del ns1
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e46e23c289f62ccd8e2230d9ce652072d777ff30 Version: 5867e20e1808acd0c832ddea2587e5ee49813874 Version: 67d6d681e15b578c1725bad8ad079e05d1c48a8e Version: 67d6d681e15b578c1725bad8ad079e05d1c48a8e Version: 67d6d681e15b578c1725bad8ad079e05d1c48a8e Version: 67d6d681e15b578c1725bad8ad079e05d1c48a8e Version: 67d6d681e15b578c1725bad8ad079e05d1c48a8e Version: 67d6d681e15b578c1725bad8ad079e05d1c48a8e Version: bed8941fbdb72a61f6348c4deb0db69c4de87aca Version: f10ce783bcc4d8ea454563a7d56ae781640e7dcb Version: f484595be6b7ef9d095a32becabb5dae8204fb2a Version: 3e6bd2b583f18da9856fc9741ffa200a74a52cba Version: 5ae06218331f39ec45b5d039aa7cb3ddd4bb8008 Version: 4589a12dcf80af31137ef202be1ff4a321707a73 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69d35c12168f9c59b159ae566f77dfad9f96d7ca",
"status": "affected",
"version": "e46e23c289f62ccd8e2230d9ce652072d777ff30",
"versionType": "git"
},
{
"lessThan": "4b7210da22429765d19460d38c30eeca72656282",
"status": "affected",
"version": "5867e20e1808acd0c832ddea2587e5ee49813874",
"versionType": "git"
},
{
"lessThan": "298f1e0694ab4edb6092d66efed93c4554e6ced1",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "041ab9ca6e80d8f792bb69df28ebf1ef39c06af8",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "b84f083f50ecc736a95091691339a1b363962f0e",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "ac1499fcd40fe06479e9b933347b837ccabc2a40",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"status": "affected",
"version": "bed8941fbdb72a61f6348c4deb0db69c4de87aca",
"versionType": "git"
},
{
"status": "affected",
"version": "f10ce783bcc4d8ea454563a7d56ae781640e7dcb",
"versionType": "git"
},
{
"status": "affected",
"version": "f484595be6b7ef9d095a32becabb5dae8204fb2a",
"versionType": "git"
},
{
"status": "affected",
"version": "3e6bd2b583f18da9856fc9741ffa200a74a52cba",
"versionType": "git"
},
{
"status": "affected",
"version": "5ae06218331f39ec45b5d039aa7cb3ddd4bb8008",
"versionType": "git"
},
{
"status": "affected",
"version": "4589a12dcf80af31137ef202be1ff4a321707a73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe\n\nThe sit driver\u0027s packet transmission path calls: sit_tunnel_xmit() -\u003e\nupdate_or_create_fnhe(), which lead to fnhe_remove_oldest() being called\nto delete entries exceeding FNHE_RECLAIM_DEPTH+random.\n\nThe race window is between fnhe_remove_oldest() selecting fnheX for\ndeletion and the subsequent kfree_rcu(). During this time, the\nconcurrent path\u0027s __mkroute_output() -\u003e find_exception() can fetch the\nsoon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a\nnew dst using a dst_hold(). When the original fnheX is freed via RCU,\nthe dst reference remains permanently leaked.\n\nCPU 0 CPU 1\n__mkroute_output()\n find_exception() [fnheX]\n update_or_create_fnhe()\n fnhe_remove_oldest() [fnheX]\n rt_bind_exception() [bind dst]\n RCU callback [fnheX freed, dst leak]\n\nThis issue manifests as a device reference count leak and a warning in\ndmesg when unregistering the net device:\n\n unregister_netdevice: waiting for sitX to become free. Usage count = N\n\nIdo Schimmel provided the simple test validation method [1].\n\nThe fix clears \u0027oldest-\u003efnhe_daddr\u0027 before calling fnhe_flush_routes().\nSince rt_bind_exception() checks this field, setting it to zero prevents\nthe stale fnhe from being reused and bound to a new dst just before it\nis freed.\n\n[1]\nip netns add ns1\nip -n ns1 link set dev lo up\nip -n ns1 address add 192.0.2.1/32 dev lo\nip -n ns1 link add name dummy1 up type dummy\nip -n ns1 route add 192.0.2.2/32 dev dummy1\nip -n ns1 link add name gretap1 up arp off type gretap \\\n local 192.0.2.1 remote 192.0.2.2\nip -n ns1 route add 198.51.0.0/16 dev gretap1\ntaskset -c 0 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q \u0026\ntaskset -c 2 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q \u0026\nsleep 10\nip netns pids ns1 | xargs kill\nip netns del ns1"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:21:18.682Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca"
},
{
"url": "https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282"
},
{
"url": "https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1"
},
{
"url": "https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94"
},
{
"url": "https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8"
},
{
"url": "https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e"
},
{
"url": "https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0"
},
{
"url": "https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40"
}
],
"title": "ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68241",
"datePublished": "2025-12-16T14:21:18.682Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:21:18.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23056 (GCVE-0-2026-23056)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: implement mremap in uacce_vm_ops to return -EPERM
The current uacce_vm_ops does not support the mremap operation of
vm_operations_struct. Implement .mremap to return -EPERM to remind
users.
The reason we need to explicitly disable mremap is that when the
driver does not implement .mremap, it uses the default mremap
method. This could lead to a risk scenario:
An application might first mmap address p1, then mremap to p2,
followed by munmap(p1), and finally munmap(p2). Since the default
mremap copies the original vma's vm_private_data (i.e., q) to the
new vma, both munmap operations would trigger vma_close, causing
q->qfr to be freed twice(qfr will be set to null here, so repeated
release is ok).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78d99f062d42e3af2ca46bde1a8e46e0dfd372e3",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "ebfa85658a39b49ec3901ceea7535b73aa0429e6",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "4c042bc71474dbe417c268f4bfb8ec196f802f07",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "a407ddd61b3e6afc5ccfcd1478797171cf5686ee",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "ba29b59d124e725e0377f09b2044909c91d657a1",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "02695347be532b628f22488300d40c4eba48b9b7",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: implement mremap in uacce_vm_ops to return -EPERM\n\nThe current uacce_vm_ops does not support the mremap operation of\nvm_operations_struct. Implement .mremap to return -EPERM to remind\nusers.\n\nThe reason we need to explicitly disable mremap is that when the\ndriver does not implement .mremap, it uses the default mremap\nmethod. This could lead to a risk scenario:\n\nAn application might first mmap address p1, then mremap to p2,\nfollowed by munmap(p1), and finally munmap(p2). Since the default\nmremap copies the original vma\u0027s vm_private_data (i.e., q) to the\nnew vma, both munmap operations would trigger vma_close, causing\nq-\u003eqfr to be freed twice(qfr will be set to null here, so repeated\nrelease is ok)."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:54.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3"
},
{
"url": "https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6"
},
{
"url": "https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f"
},
{
"url": "https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07"
},
{
"url": "https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee"
},
{
"url": "https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1"
},
{
"url": "https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7"
}
],
"title": "uacce: implement mremap in uacce_vm_ops to return -EPERM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23056",
"datePublished": "2026-02-04T16:07:34.787Z",
"dateReserved": "2026-01-13T15:37:45.951Z",
"dateUpdated": "2026-02-09T08:37:54.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40042 (GCVE-0-2025-40042)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
There is a critical race condition in kprobe initialization that can lead to
NULL pointer dereference and kernel crash.
[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000
...
[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)
[1135630.269239] pc : kprobe_perf_func+0x30/0x260
[1135630.277643] lr : kprobe_dispatcher+0x44/0x60
[1135630.286041] sp : ffffaeff4977fa40
[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400
[1135630.302837] x27: 0000000000000000 x26: 0000000000000000
[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528
[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50
[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50
[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000
[1135630.349985] x17: 0000000000000000 x16: 0000000000000000
[1135630.359285] x15: 0000000000000000 x14: 0000000000000000
[1135630.368445] x13: 0000000000000000 x12: 0000000000000000
[1135630.377473] x11: 0000000000000000 x10: 0000000000000000
[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000
[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000
[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000
[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006
[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000
[1135630.429410] Call trace:
[1135630.434828] kprobe_perf_func+0x30/0x260
[1135630.441661] kprobe_dispatcher+0x44/0x60
[1135630.448396] aggr_pre_handler+0x70/0xc8
[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0
[1135630.462435] brk_handler+0xbc/0xd8
[1135630.468437] do_debug_exception+0x84/0x138
[1135630.475074] el1_dbg+0x18/0x8c
[1135630.480582] security_file_permission+0x0/0xd0
[1135630.487426] vfs_write+0x70/0x1c0
[1135630.493059] ksys_write+0x5c/0xc8
[1135630.498638] __arm64_sys_write+0x24/0x30
[1135630.504821] el0_svc_common+0x78/0x130
[1135630.510838] el0_svc_handler+0x38/0x78
[1135630.516834] el0_svc+0x8/0x1b0
kernel/trace/trace_kprobe.c: 1308
0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120]
include/linux/compiler.h: 294
0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0]
kernel/trace/trace_kprobe.c
1308: head = this_cpu_ptr(call->perf_events);
1309: if (hlist_empty(head))
1310: return 0;
crash> struct trace_event_call -o
struct trace_event_call {
...
[120] struct hlist_head *perf_events; //(call->perf_event)
...
}
crash> struct trace_event_call ffffaf015340e528
struct trace_event_call {
...
perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0
...
}
Race Condition Analysis:
The race occurs between kprobe activation and perf_events initialization:
CPU0 CPU1
==== ====
perf_kprobe_init
perf_trace_event_init
tp_event->perf_events = list;(1)
tp_event->class->reg (2)← KPROBE ACTIVE
Debug exception triggers
...
kprobe_dispatcher
kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE)
head = this_cpu_ptr(call->perf_events)(3)
(perf_events is still NULL)
Problem:
1. CPU0 executes (1) assigning tp_event->perf_events = list
2. CPU0 executes (2) enabling kprobe functionality via class->reg()
3. CPU1 triggers and reaches kprobe_dispatcher
4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)
5. CPU1 calls kprobe_perf_func() and crashes at (3) because
call->perf_events is still NULL
CPU1 sees that kprobe functionality is enabled but does not see that
perf_events has been assigned.
Add pairing read an
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 50d780560785b068c358675c5f0bf6c83b5c373e Version: 50d780560785b068c358675c5f0bf6c83b5c373e Version: 50d780560785b068c358675c5f0bf6c83b5c373e Version: 50d780560785b068c358675c5f0bf6c83b5c373e Version: 50d780560785b068c358675c5f0bf6c83b5c373e Version: 50d780560785b068c358675c5f0bf6c83b5c373e Version: 50d780560785b068c358675c5f0bf6c83b5c373e Version: 50d780560785b068c358675c5f0bf6c83b5c373e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_fprobe.c",
"kernel/trace/trace_kprobe.c",
"kernel/trace/trace_probe.h",
"kernel/trace/trace_uprobe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07926ce598a95de6fd874a74fb510e2ebdfd0aae",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "9c4951b691bb8d7a004acd010f45144391f85ea6",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "95dd33361061f808d1f68616d69ada639e737cfa",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "a6e89ada1ff6b70df73f579071ffa6ade8ae7f98",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "1a301228c0a8aedc3154fb1a274456f487416b96",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "0fa388ab2c290ef1115ff88ae88e881d0fb2db02",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "5ebea6561649d30ec7a18fea23d7f76738dae916",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_fprobe.c",
"kernel/trace/trace_kprobe.c",
"kernel/trace/trace_probe.h",
"kernel/trace/trace_uprobe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race condition in kprobe initialization causing NULL pointer dereference\n\nThere is a critical race condition in kprobe initialization that can lead to\nNULL pointer dereference and kernel crash.\n\n[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000\n...\n[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)\n[1135630.269239] pc : kprobe_perf_func+0x30/0x260\n[1135630.277643] lr : kprobe_dispatcher+0x44/0x60\n[1135630.286041] sp : ffffaeff4977fa40\n[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400\n[1135630.302837] x27: 0000000000000000 x26: 0000000000000000\n[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528\n[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50\n[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50\n[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000\n[1135630.349985] x17: 0000000000000000 x16: 0000000000000000\n[1135630.359285] x15: 0000000000000000 x14: 0000000000000000\n[1135630.368445] x13: 0000000000000000 x12: 0000000000000000\n[1135630.377473] x11: 0000000000000000 x10: 0000000000000000\n[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000\n[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000\n[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000\n[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006\n[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000\n[1135630.429410] Call trace:\n[1135630.434828] kprobe_perf_func+0x30/0x260\n[1135630.441661] kprobe_dispatcher+0x44/0x60\n[1135630.448396] aggr_pre_handler+0x70/0xc8\n[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0\n[1135630.462435] brk_handler+0xbc/0xd8\n[1135630.468437] do_debug_exception+0x84/0x138\n[1135630.475074] el1_dbg+0x18/0x8c\n[1135630.480582] security_file_permission+0x0/0xd0\n[1135630.487426] vfs_write+0x70/0x1c0\n[1135630.493059] ksys_write+0x5c/0xc8\n[1135630.498638] __arm64_sys_write+0x24/0x30\n[1135630.504821] el0_svc_common+0x78/0x130\n[1135630.510838] el0_svc_handler+0x38/0x78\n[1135630.516834] el0_svc+0x8/0x1b0\n\nkernel/trace/trace_kprobe.c: 1308\n0xffff3df8995039ec \u003ckprobe_perf_func+0x2c\u003e: ldr x21, [x24,#120]\ninclude/linux/compiler.h: 294\n0xffff3df8995039f0 \u003ckprobe_perf_func+0x30\u003e: ldr x1, [x21,x0]\n\nkernel/trace/trace_kprobe.c\n1308: head = this_cpu_ptr(call-\u003eperf_events);\n1309: if (hlist_empty(head))\n1310: \treturn 0;\n\ncrash\u003e struct trace_event_call -o\nstruct trace_event_call {\n ...\n [120] struct hlist_head *perf_events; //(call-\u003eperf_event)\n ...\n}\n\ncrash\u003e struct trace_event_call ffffaf015340e528\nstruct trace_event_call {\n ...\n perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0\n ...\n}\n\nRace Condition Analysis:\n\nThe race occurs between kprobe activation and perf_events initialization:\n\n CPU0 CPU1\n ==== ====\n perf_kprobe_init\n perf_trace_event_init\n tp_event-\u003eperf_events = list;(1)\n tp_event-\u003eclass-\u003ereg (2)\u2190 KPROBE ACTIVE\n Debug exception triggers\n ...\n kprobe_dispatcher\n kprobe_perf_func (tk-\u003etp.flags \u0026 TP_FLAG_PROFILE)\n head = this_cpu_ptr(call-\u003eperf_events)(3)\n (perf_events is still NULL)\n\nProblem:\n1. CPU0 executes (1) assigning tp_event-\u003eperf_events = list\n2. CPU0 executes (2) enabling kprobe functionality via class-\u003ereg()\n3. CPU1 triggers and reaches kprobe_dispatcher\n4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)\n5. CPU1 calls kprobe_perf_func() and crashes at (3) because\n call-\u003eperf_events is still NULL\n\nCPU1 sees that kprobe functionality is enabled but does not see that\nperf_events has been assigned.\n\nAdd pairing read an\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:46.821Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07926ce598a95de6fd874a74fb510e2ebdfd0aae"
},
{
"url": "https://git.kernel.org/stable/c/9c4951b691bb8d7a004acd010f45144391f85ea6"
},
{
"url": "https://git.kernel.org/stable/c/95dd33361061f808d1f68616d69ada639e737cfa"
},
{
"url": "https://git.kernel.org/stable/c/a6e89ada1ff6b70df73f579071ffa6ade8ae7f98"
},
{
"url": "https://git.kernel.org/stable/c/1a301228c0a8aedc3154fb1a274456f487416b96"
},
{
"url": "https://git.kernel.org/stable/c/0fa388ab2c290ef1115ff88ae88e881d0fb2db02"
},
{
"url": "https://git.kernel.org/stable/c/5ebea6561649d30ec7a18fea23d7f76738dae916"
},
{
"url": "https://git.kernel.org/stable/c/9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f"
}
],
"title": "tracing: Fix race condition in kprobe initialization causing NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40042",
"datePublished": "2025-10-28T11:48:21.638Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-01T06:16:46.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40085 (GCVE-0-2025-40085)
Vulnerability from cvelistv5
Published
2025-10-29 13:37
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card
In try_to_register_card(), the return value of usb_ifnum_to_if() is
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5 Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 39efc9c8a973ddff5918191525d1679d0fb368ea Version: 9d4f4dc3cd38e412c29a7626489fe48b79ebbf6c Version: 52076a41c128146c9df4a157e972cb17019313b1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "736159f7b296d7a95f7208eb4799639b1f8b16a0",
"status": "affected",
"version": "28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5",
"versionType": "git"
},
{
"lessThan": "8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "576312eb436326b44b7010f4d9ae2b698df075ea",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "bba7208765d26e5e36b87f21dacc2780b064f41f",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "8503ac1a62075a085402e42a386b5c627c821a51",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"lessThan": "28412b489b088fb88dff488305fd4e56bd47f6e4",
"status": "affected",
"version": "39efc9c8a973ddff5918191525d1679d0fb368ea",
"versionType": "git"
},
{
"status": "affected",
"version": "9d4f4dc3cd38e412c29a7626489fe48b79ebbf6c",
"versionType": "git"
},
{
"status": "affected",
"version": "52076a41c128146c9df4a157e972cb17019313b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer deference in try_to_register_card\n\nIn try_to_register_card(), the return value of usb_ifnum_to_if() is\npassed directly to usb_interface_claimed() without a NULL check, which\nwill lead to a NULL pointer dereference when creating an invalid\nUSB audio device. Fix this by adding a check to ensure the interface\npointer is valid before passing it to usb_interface_claimed()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:42.458Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/736159f7b296d7a95f7208eb4799639b1f8b16a0"
},
{
"url": "https://git.kernel.org/stable/c/8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb"
},
{
"url": "https://git.kernel.org/stable/c/576312eb436326b44b7010f4d9ae2b698df075ea"
},
{
"url": "https://git.kernel.org/stable/c/bba7208765d26e5e36b87f21dacc2780b064f41f"
},
{
"url": "https://git.kernel.org/stable/c/8503ac1a62075a085402e42a386b5c627c821a51"
},
{
"url": "https://git.kernel.org/stable/c/28412b489b088fb88dff488305fd4e56bd47f6e4"
}
],
"title": "ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40085",
"datePublished": "2025-10-29T13:37:04.707Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-12-01T06:17:42.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23170 (GCVE-0-2026-23170)
Vulnerability from cvelistv5
Published
2026-02-14 16:01
Modified
2026-02-14 16:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/imx/tve: fix probe device leak
Make sure to drop the reference taken to the DDC device during probe on
probe failure (e.g. probe deferral) and on driver unbind.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fcbc51e54d2aa9d402206601f4894251049e5d77 Version: fcbc51e54d2aa9d402206601f4894251049e5d77 Version: fcbc51e54d2aa9d402206601f4894251049e5d77 Version: fcbc51e54d2aa9d402206601f4894251049e5d77 Version: fcbc51e54d2aa9d402206601f4894251049e5d77 Version: fcbc51e54d2aa9d402206601f4894251049e5d77 Version: fcbc51e54d2aa9d402206601f4894251049e5d77 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imx/ipuv3/imx-tve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f212652982c6725986cfa42fbf10d1dfa92c010e",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "52755c5680ce333b33d0750a200fbc99420ed2b2",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "4aaff8f6ab38f81e00ab8aa1fcfb7eb20cd87ba1",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "9a15d3fdc22d48f597792aee0cf1bf0947fc62e6",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "77365382585b40559d63538d09e26e4b2af28fbc",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "ca68745e820ecd210e3ab018497c9e6b69025c4b",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "e535c23513c63f02f67e3e09e0787907029efeaf",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imx/ipuv3/imx-tve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imx/tve: fix probe device leak\n\nMake sure to drop the reference taken to the DDC device during probe on\nprobe failure (e.g. probe deferral) and on driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:32.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f212652982c6725986cfa42fbf10d1dfa92c010e"
},
{
"url": "https://git.kernel.org/stable/c/52755c5680ce333b33d0750a200fbc99420ed2b2"
},
{
"url": "https://git.kernel.org/stable/c/4aaff8f6ab38f81e00ab8aa1fcfb7eb20cd87ba1"
},
{
"url": "https://git.kernel.org/stable/c/9a15d3fdc22d48f597792aee0cf1bf0947fc62e6"
},
{
"url": "https://git.kernel.org/stable/c/77365382585b40559d63538d09e26e4b2af28fbc"
},
{
"url": "https://git.kernel.org/stable/c/ca68745e820ecd210e3ab018497c9e6b69025c4b"
},
{
"url": "https://git.kernel.org/stable/c/e535c23513c63f02f67e3e09e0787907029efeaf"
}
],
"title": "drm/imx/tve: fix probe device leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23170",
"datePublished": "2026-02-14T16:01:32.833Z",
"dateReserved": "2026-01-13T15:37:45.982Z",
"dateUpdated": "2026-02-14T16:01:32.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23121 (GCVE-0-2026-23121)
Vulnerability from cvelistv5
Published
2026-02-14 15:09
Modified
2026-02-14 15:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mISDN: annotate data-race around dev->work
dev->work can re read locklessly in mISDN_read()
and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.
BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read
write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:
misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]
mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xce/0x140 fs/ioctl.c:583
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583
x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:
mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112
do_loop_readv_writev fs/read_write.c:847 [inline]
vfs_readv+0x3fb/0x690 fs/read_write.c:1020
do_readv+0xe7/0x210 fs/read_write.c:1080
__do_sys_readv fs/read_write.c:1165 [inline]
__se_sys_readv fs/read_write.c:1162 [inline]
__x64_sys_readv+0x45/0x50 fs/read_write.c:1162
x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000000 -> 0x00000001
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1b2b03f8e514e4f68e293846ba511a948b80243c Version: 1b2b03f8e514e4f68e293846ba511a948b80243c Version: 1b2b03f8e514e4f68e293846ba511a948b80243c Version: 1b2b03f8e514e4f68e293846ba511a948b80243c Version: 1b2b03f8e514e4f68e293846ba511a948b80243c Version: 1b2b03f8e514e4f68e293846ba511a948b80243c Version: 1b2b03f8e514e4f68e293846ba511a948b80243c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/mISDN/timerdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5d99cb9e0839093cd53aa3b28176fce2f820ca0",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "13f3b3b87068898056db4c79ee67052fbde11d43",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "accc3f8266d2a49881dbcf78c459477f4efa0ff3",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "aa6e33cd74ca4965f2bbcb025e0b672fb0168a69",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "7ac345a93af31358e18e9606eb7b354691bf6757",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "8175dbf174d487afab81e936a862a8d9b8a1ccb6",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/mISDN/timerdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: annotate data-race around dev-\u003ework\n\ndev-\u003ework can re read locklessly in mISDN_read()\nand mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.\n\nBUG: KCSAN: data-race in mISDN_ioctl / mISDN_read\n\nwrite to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:\n misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]\n mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583\n __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583\n x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:\n mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112\n do_loop_readv_writev fs/read_write.c:847 [inline]\n vfs_readv+0x3fb/0x690 fs/read_write.c:1020\n do_readv+0xe7/0x210 fs/read_write.c:1080\n __do_sys_readv fs/read_write.c:1165 [inline]\n __se_sys_readv fs/read_write.c:1162 [inline]\n __x64_sys_readv+0x45/0x50 fs/read_write.c:1162\n x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00000000 -\u003e 0x00000001"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:51.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5d99cb9e0839093cd53aa3b28176fce2f820ca0"
},
{
"url": "https://git.kernel.org/stable/c/13f3b3b87068898056db4c79ee67052fbde11d43"
},
{
"url": "https://git.kernel.org/stable/c/accc3f8266d2a49881dbcf78c459477f4efa0ff3"
},
{
"url": "https://git.kernel.org/stable/c/fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7"
},
{
"url": "https://git.kernel.org/stable/c/aa6e33cd74ca4965f2bbcb025e0b672fb0168a69"
},
{
"url": "https://git.kernel.org/stable/c/7ac345a93af31358e18e9606eb7b354691bf6757"
},
{
"url": "https://git.kernel.org/stable/c/8175dbf174d487afab81e936a862a8d9b8a1ccb6"
}
],
"title": "mISDN: annotate data-race around dev-\u003ework",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23121",
"datePublished": "2026-02-14T15:09:51.912Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:51.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23111 (GCVE-0-2026-23111)
Vulnerability from cvelistv5
Published
2026-02-13 13:29
Modified
2026-04-03 13:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate():
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate():
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 Version: d60be2da67d172aecf866302c91ea11533eca4d9 Version: 628bd3e49cba1c066228e23d71a852c23e26da73 Version: 628bd3e49cba1c066228e23d71a852c23e26da73 Version: 628bd3e49cba1c066228e23d71a852c23e26da73 Version: 628bd3e49cba1c066228e23d71a852c23e26da73 Version: bc9f791d2593f17e39f87c6e2b3a36549a3705b1 Version: 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 Version: a136b7942ad2a50de708f76ea299ccb45ac7a7f9 Version: dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c760ba4e36c750379d13569f23f5a6e185333f5",
"status": "affected",
"version": "25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8",
"versionType": "git"
},
{
"lessThan": "b9b6573421de51829f7ec1cce76d85f5f6fbbd7f",
"status": "affected",
"version": "d60be2da67d172aecf866302c91ea11533eca4d9",
"versionType": "git"
},
{
"lessThan": "42c574c1504aa089a0a142e4c13859327570473d",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "1444ff890b4653add12f734ffeffc173d42862dd",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "8b68a45f9722f2babe9e7bad00aa74638addf081",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "f41c5d151078c5348271ffaf8e7410d96f2d82f8",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"status": "affected",
"version": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1",
"versionType": "git"
},
{
"status": "affected",
"version": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50",
"versionType": "git"
},
{
"status": "affected",
"version": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9",
"versionType": "git"
},
{
"status": "affected",
"version": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter-\u003egenmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:31:59.219Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"
},
{
"url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"
},
{
"url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"
},
{
"url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"
},
{
"url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"
},
{
"url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"
}
],
"title": "netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23111",
"datePublished": "2026-02-13T13:29:55.895Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-04-03T13:31:59.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23405 (GCVE-0-2026-23405)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix: limit the number of levels of policy namespaces
Currently the number of policy namespaces is not bounded relying on
the user namespace limit. However policy namespaces aren't strictly
tied to user namespaces and it is possible to create them and nest
them arbitrarily deep which can be used to exhaust system resource.
Hard cap policy namespaces to the same depth as user namespaces.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 Version: c88d4c7b049e87998ac0a9f455aa545cc895ef92 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/policy_ns.h",
"security/apparmor/policy_ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b396cc2f0365e684fc1d3547d18ef79fcee225d",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "87d0cecc900e55d55fc4dbfb43ac93e269c7a5b3",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "b1226e37eb3754d389721c135db6107db94c7a72",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "853ce31ca72097d23991a06876a2ccb5cb64b603",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "d42b2b6bb77ca40ee34ab74ad79305840b5f315d",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "7b6495ead2c611647f6b11441a852324e3eb8616",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "306039414932c80f8420695a24d4fe10c84ccfb2",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/policy_ns.h",
"security/apparmor/policy_ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix: limit the number of levels of policy namespaces\n\nCurrently the number of policy namespaces is not bounded relying on\nthe user namespace limit. However policy namespaces aren\u0027t strictly\ntied to user namespaces and it is possible to create them and nest\nthem arbitrarily deep which can be used to exhaust system resource.\n\nHard cap policy namespaces to the same depth as user namespaces."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:39.212Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b396cc2f0365e684fc1d3547d18ef79fcee225d"
},
{
"url": "https://git.kernel.org/stable/c/87d0cecc900e55d55fc4dbfb43ac93e269c7a5b3"
},
{
"url": "https://git.kernel.org/stable/c/b1226e37eb3754d389721c135db6107db94c7a72"
},
{
"url": "https://git.kernel.org/stable/c/3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e"
},
{
"url": "https://git.kernel.org/stable/c/853ce31ca72097d23991a06876a2ccb5cb64b603"
},
{
"url": "https://git.kernel.org/stable/c/d42b2b6bb77ca40ee34ab74ad79305840b5f315d"
},
{
"url": "https://git.kernel.org/stable/c/7b6495ead2c611647f6b11441a852324e3eb8616"
},
{
"url": "https://git.kernel.org/stable/c/306039414932c80f8420695a24d4fe10c84ccfb2"
}
],
"title": "apparmor: fix: limit the number of levels of policy namespaces",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23405",
"datePublished": "2026-04-01T08:36:35.697Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-18T08:58:39.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71150 (GCVE-0-2025-71150)
Vulnerability from cvelistv5
Published
2026-01-23 14:15
Modified
2026-04-18 08:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Fix refcount leak when invalid session is found on session lookup
When a session is found but its state is not SMB2_SESSION_VALID, It
indicates that no valid session was found, but it is missing to decrement
the reference count acquired by the session lookup, which results in
a reference count leak. This patch fixes the issue by explicitly calling
ksmbd_user_session_put to release the reference to the session.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2107ab40629aeabbec369cf34b8cf0f288c3eb1b Version: 37a0e2b362b3150317fb6e2139de67b1e29ae5ff Version: 450a844c045ff0895d41b05a1cbe8febd1acfcfd Version: a39e31e22a535d47b14656a7d6a893c7f6cf758c Version: b95629435b84b9ecc0c765995204a4d8a913ed52 Version: b95629435b84b9ecc0c765995204a4d8a913ed52 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11fe566b442e3bc2774191740fd377739a87a1c0",
"status": "affected",
"version": "2107ab40629aeabbec369cf34b8cf0f288c3eb1b",
"versionType": "git"
},
{
"lessThan": "0fb87b28cafae71e9c8248432cc3a6a1fd759efc",
"status": "affected",
"version": "37a0e2b362b3150317fb6e2139de67b1e29ae5ff",
"versionType": "git"
},
{
"lessThan": "e54fb2a4772545701766cba08aab20de5eace8cd",
"status": "affected",
"version": "450a844c045ff0895d41b05a1cbe8febd1acfcfd",
"versionType": "git"
},
{
"lessThan": "02e06785e85b4bd86ef3d23b7c8d87acc76773d5",
"status": "affected",
"version": "a39e31e22a535d47b14656a7d6a893c7f6cf758c",
"versionType": "git"
},
{
"lessThan": "8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7",
"status": "affected",
"version": "b95629435b84b9ecc0c765995204a4d8a913ed52",
"versionType": "git"
},
{
"lessThan": "cafb57f7bdd57abba87725eb4e82bbdca4959644",
"status": "affected",
"version": "b95629435b84b9ecc0c765995204a4d8a913ed52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix refcount leak when invalid session is found on session lookup\n\nWhen a session is found but its state is not SMB2_SESSION_VALID, It\nindicates that no valid session was found, but it is missing to decrement\nthe reference count acquired by the session lookup, which results in\na reference count leak. This patch fixes the issue by explicitly calling\nksmbd_user_session_put to release the reference to the session."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:13.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11fe566b442e3bc2774191740fd377739a87a1c0"
},
{
"url": "https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc"
},
{
"url": "https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd"
},
{
"url": "https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5"
},
{
"url": "https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7"
},
{
"url": "https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644"
}
],
"title": "ksmbd: Fix refcount leak when invalid session is found on session lookup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71150",
"datePublished": "2026-01-23T14:15:16.898Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-04-18T08:57:13.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53041 (GCVE-0-2023-53041)
Vulnerability from cvelistv5
Published
2025-05-02 15:54
Modified
2026-01-05 10:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Perform lockless command completion in abort path
While adding and removing the controller, the following call trace was
observed:
WARNING: CPU: 3 PID: 623596 at kernel/dma/mapping.c:532 dma_free_attrs+0x33/0x50
CPU: 3 PID: 623596 Comm: sh Kdump: loaded Not tainted 5.14.0-96.el9.x86_64 #1
RIP: 0010:dma_free_attrs+0x33/0x50
Call Trace:
qla2x00_async_sns_sp_done+0x107/0x1b0 [qla2xxx]
qla2x00_abort_srb+0x8e/0x250 [qla2xxx]
? ql_dbg+0x70/0x100 [qla2xxx]
__qla2x00_abort_all_cmds+0x108/0x190 [qla2xxx]
qla2x00_abort_all_cmds+0x24/0x70 [qla2xxx]
qla2x00_abort_isp_cleanup+0x305/0x3e0 [qla2xxx]
qla2x00_remove_one+0x364/0x400 [qla2xxx]
pci_device_remove+0x36/0xa0
__device_release_driver+0x17a/0x230
device_release_driver+0x24/0x30
pci_stop_bus_device+0x68/0x90
pci_stop_and_remove_bus_device_locked+0x16/0x30
remove_store+0x75/0x90
kernfs_fop_write_iter+0x11c/0x1b0
new_sync_write+0x11f/0x1b0
vfs_write+0x1eb/0x280
ksys_write+0x5f/0xe0
do_syscall_64+0x5c/0x80
? do_user_addr_fault+0x1d8/0x680
? do_syscall_64+0x69/0x80
? exc_page_fault+0x62/0x140
? asm_exc_page_fault+0x8/0x30
entry_SYSCALL_64_after_hwframe+0x44/0xae
The command was completed in the abort path during driver unload with a
lock held, causing the warning in abort path. Hence complete the command
without any lock held.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 31c1f455203e56a3ce8d5dd92f37c83d07bd5bd5 Version: f45bca8c5052e8c59bab64ee90c44441678b9a52 Version: f45bca8c5052e8c59bab64ee90c44441678b9a52 Version: f45bca8c5052e8c59bab64ee90c44441678b9a52 Version: f45bca8c5052e8c59bab64ee90c44441678b9a52 Version: f45bca8c5052e8c59bab64ee90c44441678b9a52 Version: 10fd34ac79b234d9bd4459c9b9c1f9d5a67f7bde |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9189f20b4c5307c0998682bb522e481b4567a8b8",
"status": "affected",
"version": "31c1f455203e56a3ce8d5dd92f37c83d07bd5bd5",
"versionType": "git"
},
{
"lessThan": "231cfa78ec5badd84a1a2b09465bfad1a926aba1",
"status": "affected",
"version": "f45bca8c5052e8c59bab64ee90c44441678b9a52",
"versionType": "git"
},
{
"lessThan": "d6f7377528d2abf338e504126e44439541be8f7d",
"status": "affected",
"version": "f45bca8c5052e8c59bab64ee90c44441678b9a52",
"versionType": "git"
},
{
"lessThan": "cd0a1804ac5bab2545ac700c8d0fe9ae9284c567",
"status": "affected",
"version": "f45bca8c5052e8c59bab64ee90c44441678b9a52",
"versionType": "git"
},
{
"lessThan": "415d614344a4f1bbddf55d724fc7eb9ef4b39aad",
"status": "affected",
"version": "f45bca8c5052e8c59bab64ee90c44441678b9a52",
"versionType": "git"
},
{
"lessThan": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"status": "affected",
"version": "f45bca8c5052e8c59bab64ee90c44441678b9a52",
"versionType": "git"
},
{
"status": "affected",
"version": "10fd34ac79b234d9bd4459c9b9c1f9d5a67f7bde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"versionStartIncluding": "5.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.105",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.22",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Perform lockless command completion in abort path\n\nWhile adding and removing the controller, the following call trace was\nobserved:\n\nWARNING: CPU: 3 PID: 623596 at kernel/dma/mapping.c:532 dma_free_attrs+0x33/0x50\nCPU: 3 PID: 623596 Comm: sh Kdump: loaded Not tainted 5.14.0-96.el9.x86_64 #1\nRIP: 0010:dma_free_attrs+0x33/0x50\n\nCall Trace:\n qla2x00_async_sns_sp_done+0x107/0x1b0 [qla2xxx]\n qla2x00_abort_srb+0x8e/0x250 [qla2xxx]\n ? ql_dbg+0x70/0x100 [qla2xxx]\n __qla2x00_abort_all_cmds+0x108/0x190 [qla2xxx]\n qla2x00_abort_all_cmds+0x24/0x70 [qla2xxx]\n qla2x00_abort_isp_cleanup+0x305/0x3e0 [qla2xxx]\n qla2x00_remove_one+0x364/0x400 [qla2xxx]\n pci_device_remove+0x36/0xa0\n __device_release_driver+0x17a/0x230\n device_release_driver+0x24/0x30\n pci_stop_bus_device+0x68/0x90\n pci_stop_and_remove_bus_device_locked+0x16/0x30\n remove_store+0x75/0x90\n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x11f/0x1b0\n vfs_write+0x1eb/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x80\n ? do_user_addr_fault+0x1d8/0x680\n ? do_syscall_64+0x69/0x80\n ? exc_page_fault+0x62/0x140\n ? asm_exc_page_fault+0x8/0x30\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe command was completed in the abort path during driver unload with a\nlock held, causing the warning in abort path. Hence complete the command\nwithout any lock held."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:18:06.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9189f20b4c5307c0998682bb522e481b4567a8b8"
},
{
"url": "https://git.kernel.org/stable/c/231cfa78ec5badd84a1a2b09465bfad1a926aba1"
},
{
"url": "https://git.kernel.org/stable/c/d6f7377528d2abf338e504126e44439541be8f7d"
},
{
"url": "https://git.kernel.org/stable/c/cd0a1804ac5bab2545ac700c8d0fe9ae9284c567"
},
{
"url": "https://git.kernel.org/stable/c/415d614344a4f1bbddf55d724fc7eb9ef4b39aad"
},
{
"url": "https://git.kernel.org/stable/c/0367076b0817d5c75dfb83001ce7ce5c64d803a9"
}
],
"title": "scsi: qla2xxx: Perform lockless command completion in abort path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53041",
"datePublished": "2025-05-02T15:54:59.210Z",
"dateReserved": "2025-04-16T07:18:43.827Z",
"dateUpdated": "2026-01-05T10:18:06.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68206 (GCVE-0-2025-68206)
Vulnerability from cvelistv5
Published
2025-12-16 13:48
Modified
2026-04-18 08:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: add seqadj extension for natted connections
Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
due to need to re-write packet payload (IP, port) on the ftp control
connection. This can require changes to the TCP length and expected
seq / ack_seq.
The easiest way to reproduce this issue is with PASV mode.
Example ruleset:
table inet ftp_nat {
ct helper ftp_helper {
type "ftp" protocol tcp
l3proto inet
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
tcp dport 21 ct state new ct helper set "ftp_helper"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
tcp dport 21 dnat ip prefix to ip daddr map {
192.168.100.1 : 192.168.13.2/32 }
}
chain postrouting {
type nat hook postrouting priority 100 ; policy accept;
tcp sport 21 snat ip prefix to ip saddr map {
192.168.13.2 : 192.168.100.1/32 }
}
}
Note that the ftp helper gets assigned *after* the dnat setup.
The inverse (nat after helper assign) is handled by an existing
check in nf_nat_setup_info() and will not show the problem.
Topoloy:
+-------------------+ +----------------------------------+
| FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+-------------------+ +----------------------------------+
|
+-----------------------+
| Client: 192.168.100.2 |
+-----------------------+
ftp nat changes do not work as expected in this case:
Connected to 192.168.100.1.
[..]
ftp> epsv
EPSV/EPRT on IPv4 off.
ftp> ls
227 Entering passive mode (192,168,100,1,209,129).
421 Service not available, remote server has closed connection.
Kernel logs:
Missing nfct_seqadj_ext_add() setup call
WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
[..]
__nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
help+0x4d1/0x880 [nf_conntrack_ftp]
nf_confirm+0x122/0x2e0 [nf_conntrack]
nf_hook_slow+0x3c/0xb0
..
Fix this by adding the required extension when a conntrack helper is assigned
to a connection that has a nat binding.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 Version: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 Version: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 Version: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 Version: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 Version: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 Version: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83273af0b60c093ba0085c205864d8542e1b1653",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "b19492c25eff04852e0cb58f9bb8238b6695ed2d",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "4de80f0dc3868408dd7fe9817e507123c9dd8bb0",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "b477ef7fa612fa45b6b3134d90d1eeb09396500a",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "4ab2cd906e4e1a19ddbda6eb532851b0e9cda110",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "90918e3b6404c2a37837b8f11692471b4c512de2",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: add seqadj extension for natted connections\n\nSequence adjustment may be required for FTP traffic with PASV/EPSV modes.\ndue to need to re-write packet payload (IP, port) on the ftp control\nconnection. This can require changes to the TCP length and expected\nseq / ack_seq.\n\nThe easiest way to reproduce this issue is with PASV mode.\nExample ruleset:\ntable inet ftp_nat {\n ct helper ftp_helper {\n type \"ftp\" protocol tcp\n l3proto inet\n }\n\n chain prerouting {\n type filter hook prerouting priority 0; policy accept;\n tcp dport 21 ct state new ct helper set \"ftp_helper\"\n }\n}\ntable ip nat {\n chain prerouting {\n type nat hook prerouting priority -100; policy accept;\n tcp dport 21 dnat ip prefix to ip daddr map {\n\t\t\t192.168.100.1 : 192.168.13.2/32 }\n }\n\n chain postrouting {\n type nat hook postrouting priority 100 ; policy accept;\n tcp sport 21 snat ip prefix to ip saddr map {\n\t\t\t192.168.13.2 : 192.168.100.1/32 }\n }\n}\n\nNote that the ftp helper gets assigned *after* the dnat setup.\n\nThe inverse (nat after helper assign) is handled by an existing\ncheck in nf_nat_setup_info() and will not show the problem.\n\nTopoloy:\n\n +-------------------+ +----------------------------------+\n | FTP: 192.168.13.2 | \u003c-\u003e | NAT: 192.168.13.3, 192.168.100.1 |\n +-------------------+ +----------------------------------+\n |\n +-----------------------+\n | Client: 192.168.100.2 |\n +-----------------------+\n\nftp nat changes do not work as expected in this case:\nConnected to 192.168.100.1.\n[..]\nftp\u003e epsv\nEPSV/EPRT on IPv4 off.\nftp\u003e ls\n227 Entering passive mode (192,168,100,1,209,129).\n421 Service not available, remote server has closed connection.\n\nKernel logs:\nMissing nfct_seqadj_ext_add() setup call\nWARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41\n[..]\n __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]\n nf_nat_ftp+0x142/0x280 [nf_nat_ftp]\n help+0x4d1/0x880 [nf_conntrack_ftp]\n nf_confirm+0x122/0x2e0 [nf_conntrack]\n nf_hook_slow+0x3c/0xb0\n ..\n\nFix this by adding the required extension when a conntrack helper is assigned\nto a connection that has a nat binding."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:10.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83273af0b60c093ba0085c205864d8542e1b1653"
},
{
"url": "https://git.kernel.org/stable/c/b19492c25eff04852e0cb58f9bb8238b6695ed2d"
},
{
"url": "https://git.kernel.org/stable/c/4de80f0dc3868408dd7fe9817e507123c9dd8bb0"
},
{
"url": "https://git.kernel.org/stable/c/b477ef7fa612fa45b6b3134d90d1eeb09396500a"
},
{
"url": "https://git.kernel.org/stable/c/4ab2cd906e4e1a19ddbda6eb532851b0e9cda110"
},
{
"url": "https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6"
},
{
"url": "https://git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2"
}
],
"title": "netfilter: nft_ct: add seqadj extension for natted connections",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68206",
"datePublished": "2025-12-16T13:48:33.763Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2026-04-18T08:57:10.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68732 (GCVE-0-2025-68732)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpu: host1x: Fix race in syncpt alloc/free
Fix race condition between host1x_syncpt_alloc()
and host1x_syncpt_put() by using kref_put_mutex()
instead of kref_put() + manual mutex locking.
This ensures no thread can acquire the
syncpt_mutex after the refcount drops to zero
but before syncpt_release acquires it.
This prevents races where syncpoints could
be allocated while still being cleaned up
from a previous release.
Remove explicit mutex locking in syncpt_release
as kref_put_mutex() handles this atomically.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f5ba33fb9690566c382624637125827b5512e766 Version: f5ba33fb9690566c382624637125827b5512e766 Version: f5ba33fb9690566c382624637125827b5512e766 Version: f5ba33fb9690566c382624637125827b5512e766 Version: f5ba33fb9690566c382624637125827b5512e766 Version: f5ba33fb9690566c382624637125827b5512e766 Version: f5ba33fb9690566c382624637125827b5512e766 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca9388fba50dac2eb71c13702b7022a801bef90e",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4aeaece518fa4436af93d1d8b786200d9656ff4b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "6245cce711e2cdb2cc75c0bb8632952e36f8c972",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4e6e07ce0197aecfb6c4a62862acc93b3efedeb7",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "d138f73ffb0c57ded473c577719e6e551b7b1f27",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "79197c6007f2afbfd7bcf5b9b80ccabf8483d774",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "c7d393267c497502fa737607f435f05dfe6e3d9b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix race in syncpt alloc/free\n\nFix race condition between host1x_syncpt_alloc()\nand host1x_syncpt_put() by using kref_put_mutex()\ninstead of kref_put() + manual mutex locking.\n\nThis ensures no thread can acquire the\nsyncpt_mutex after the refcount drops to zero\nbut before syncpt_release acquires it.\nThis prevents races where syncpoints could\nbe allocated while still being cleaned up\nfrom a previous release.\n\nRemove explicit mutex locking in syncpt_release\nas kref_put_mutex() handles this atomically."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:28.684Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca9388fba50dac2eb71c13702b7022a801bef90e"
},
{
"url": "https://git.kernel.org/stable/c/4aeaece518fa4436af93d1d8b786200d9656ff4b"
},
{
"url": "https://git.kernel.org/stable/c/6245cce711e2cdb2cc75c0bb8632952e36f8c972"
},
{
"url": "https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7"
},
{
"url": "https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27"
},
{
"url": "https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774"
},
{
"url": "https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b"
}
],
"title": "gpu: host1x: Fix race in syncpt alloc/free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68732",
"datePublished": "2025-12-24T10:33:14.664Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:28.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68372 (GCVE-0-2025-68372)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config put in recv_work
There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and
NBD_CMD_RECONFIGURE:
nbd_genl_connect // conf_ref=2 (connect and recv_work A)
nbd_open // conf_ref=3
recv_work A done // conf_ref=2
NBD_CLEAR_SOCK // conf_ref=1
nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)
close nbd // conf_ref=1
recv_work B
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Or only running NBD_CLEAR_SOCK:
nbd_genl_connect // conf_ref=2
nbd_open // conf_ref=3
NBD_CLEAR_SOCK // conf_ref=2
close nbd
nbd_release
config_put // conf_ref=1
recv_work
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the
waiter") moved nbd_config_put() to run before waking up the waiter in
recv_work, in order to ensure that nbd_start_device_ioctl() would not
be woken up while nbd->task_recv was still uncleared.
However, in nbd_start_device_ioctl(), after being woken up it explicitly
calls flush_workqueue() to make sure all current works are finished.
Therefore, there is no need to move the config put ahead of the wakeup.
Move nbd_config_put() to the end of recv_work, so that the reference is
held for the whole lifetime of the worker thread. This makes sure the
config cannot be freed while recv_work is still running, even if clear
+ reconfigure interleave.
In addition, we don't need to worry about recv_work dropping the last
nbd_put (which causes deadlock):
path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=1 (trigger recv_work)
open nbd // nbd_refs=2
NBD_CLEAR_SOCK
close nbd
nbd_release
nbd_disconnect_and_put
flush_workqueue // recv_work done
nbd_config_put
nbd_put // nbd_refs=1
nbd_put // nbd_refs=0
queue_work
path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=2 (trigger recv_work)
open nbd // nbd_refs=3
NBD_CLEAR_SOCK // conf_refs=2
close nbd
nbd_release
nbd_config_put // conf_refs=1
nbd_put // nbd_refs=2
recv_work done // conf_refs=0, nbd_refs=1
rmmod // nbd_refs=0
Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30 Version: 0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8 Version: 2ef6f4bd60411934e3fc2715442c2afe70f84bf3 Version: 742fd49cf811ca164489e339b862e3fb8e240a73 Version: 14df8724aeeef338172e2a2d6efadc989921ca0f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "198aa230a6f8c1f6af7ed26b29180749c3e79e4d",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "d3ba312675911ff9e3fefefd551751e153a9f0a9",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "3692884bd6187d89d41eef81e5a9724519fd01c1",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "6b69593f72e1bfba6ca47ca8d9b619341fded7d6",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "443a1721806b6ff6303b5229e9811d68172d622f",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "742012f6bf29553fdc460bf646a58df3a7b43d01",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"lessThan": "9517b82d8d422d426a988b213fdd45c6b417b86d",
"status": "affected",
"version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
"versionType": "git"
},
{
"status": "affected",
"version": "0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8",
"versionType": "git"
},
{
"status": "affected",
"version": "2ef6f4bd60411934e3fc2715442c2afe70f84bf3",
"versionType": "git"
},
{
"status": "affected",
"version": "742fd49cf811ca164489e339b862e3fb8e240a73",
"versionType": "git"
},
{
"status": "affected",
"version": "14df8724aeeef338172e2a2d6efadc989921ca0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config put in recv_work\n\nThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK and\nNBD_CMD_RECONFIGURE:\n nbd_genl_connect // conf_ref=2 (connect and recv_work A)\n nbd_open\t // conf_ref=3\n recv_work A done // conf_ref=2\n NBD_CLEAR_SOCK // conf_ref=1\n nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)\n close nbd\t // conf_ref=1\n recv_work B\n config_put // conf_ref=0\n atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nOr only running NBD_CLEAR_SOCK:\n nbd_genl_connect // conf_ref=2\n nbd_open \t // conf_ref=3\n NBD_CLEAR_SOCK // conf_ref=2\n close nbd\n nbd_release\n config_put // conf_ref=1\n recv_work\n config_put \t // conf_ref=0\n atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nCommit 87aac3a80af5 (\"nbd: call nbd_config_put() before notifying the\nwaiter\") moved nbd_config_put() to run before waking up the waiter in\nrecv_work, in order to ensure that nbd_start_device_ioctl() would not\nbe woken up while nbd-\u003etask_recv was still uncleared.\n\nHowever, in nbd_start_device_ioctl(), after being woken up it explicitly\ncalls flush_workqueue() to make sure all current works are finished.\nTherefore, there is no need to move the config put ahead of the wakeup.\n\nMove nbd_config_put() to the end of recv_work, so that the reference is\nheld for the whole lifetime of the worker thread. This makes sure the\nconfig cannot be freed while recv_work is still running, even if clear\n+ reconfigure interleave.\n\nIn addition, we don\u0027t need to worry about recv_work dropping the last\nnbd_put (which causes deadlock):\n\npath A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=1 (trigger recv_work)\n open nbd // nbd_refs=2\n NBD_CLEAR_SOCK\n close nbd\n nbd_release\n nbd_disconnect_and_put\n flush_workqueue // recv_work done\n nbd_config_put\n nbd_put // nbd_refs=1\n nbd_put // nbd_refs=0\n queue_work\n\npath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=2 (trigger recv_work)\n open nbd // nbd_refs=3\n NBD_CLEAR_SOCK // conf_refs=2\n close nbd\n nbd_release\n nbd_config_put // conf_refs=1\n nbd_put // nbd_refs=2\n recv_work done // conf_refs=0, nbd_refs=1\n rmmod // nbd_refs=0\n\nDepends-on: e2daec488c57 (\"nbd: Fix hungtask when nbd_config_put\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:09.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/198aa230a6f8c1f6af7ed26b29180749c3e79e4d"
},
{
"url": "https://git.kernel.org/stable/c/d3ba312675911ff9e3fefefd551751e153a9f0a9"
},
{
"url": "https://git.kernel.org/stable/c/3692884bd6187d89d41eef81e5a9724519fd01c1"
},
{
"url": "https://git.kernel.org/stable/c/1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509"
},
{
"url": "https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6"
},
{
"url": "https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f"
},
{
"url": "https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01"
},
{
"url": "https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d"
}
],
"title": "nbd: defer config put in recv_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68372",
"datePublished": "2025-12-24T10:33:02.679Z",
"dateReserved": "2025-12-16T14:48:05.310Z",
"dateUpdated": "2026-02-09T08:32:09.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71154 (GCVE-0-2025-71154)
Vulnerability from cvelistv5
Published
2026-01-23 14:25
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
In async_set_registers(), when usb_submit_urb() fails, the allocated
async_req structure and URB are not freed, causing a memory leak.
The completion callback async_set_reg_cb() is responsible for freeing
these allocations, but it is only called after the URB is successfully
submitted and completes (successfully or with error). If submission
fails, the callback never runs and the memory is leaked.
Fix this by freeing both the URB and the request structure in the error
path when usb_submit_urb() fails.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 Version: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 Version: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 Version: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 Version: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 Version: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 Version: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4e2442d3c48355a84463342f397134f149936d7",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "2f966186b99550e3c665dbfb87b8314e30acea02",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "db2244c580540306d60ce783ed340190720cd429",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "4bd4ea3eb326608ffc296db12c105f92dc2f2190",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "6492ad6439ff1a479fc94dc6052df3628faed8b6",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "151403e903840c9cf06754097b6732c14f26c532",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "12cab1191d9890097171156d06bfa8d31f1e39c8",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix memory leak on usb_submit_urb() failure\n\nIn async_set_registers(), when usb_submit_urb() fails, the allocated\n async_req structure and URB are not freed, causing a memory leak.\n\n The completion callback async_set_reg_cb() is responsible for freeing\n these allocations, but it is only called after the URB is successfully\n submitted and completes (successfully or with error). If submission\n fails, the callback never runs and the memory is leaked.\n\n Fix this by freeing both the URB and the request structure in the error\n path when usb_submit_urb() fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:52.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7"
},
{
"url": "https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02"
},
{
"url": "https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429"
},
{
"url": "https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190"
},
{
"url": "https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6"
},
{
"url": "https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532"
},
{
"url": "https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8"
}
],
"title": "net: usb: rtl8150: fix memory leak on usb_submit_urb() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71154",
"datePublished": "2026-01-23T14:25:53.818Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:52.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40351 (GCVE-0-2025-40351)
Vulnerability from cvelistv5
Published
2025-12-16 13:30
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
The syzbot reported issue in hfsplus_delete_cat():
[ 70.682285][ T9333] =====================================================
[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
[ 70.685447][ T9333] do_rmdir+0x964/0xea0
[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.687646][ T9333]
[ 70.687856][ T9333] Uninit was stored to memory at:
[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.692773][ T9333]
[ 70.692990][ T9333] Uninit was stored to memory at:
[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
[ 70.694911][ T9333] mount_bdev+0x37b/0x530
[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.699730][ T9333]
[ 70.699946][ T9333] Uninit was created at:
[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
[ 70.703598][ T9333] alloc_inode+0x82/0x490
[ 70.703984][ T9333] iget_locked+0x22e/0x1320
[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
[ 70.705776][ T9333] mount_bdev+0x37b/0x530
[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.710611][ T9333]
[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.712490][ T9333] =====================================================
[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
[ 70.714159][ T9333]
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d7d673a591701f131e53d4fd4e2b9352f1316642 Version: d7d673a591701f131e53d4fd4e2b9352f1316642 Version: d7d673a591701f131e53d4fd4e2b9352f1316642 Version: d7d673a591701f131e53d4fd4e2b9352f1316642 Version: d7d673a591701f131e53d4fd4e2b9352f1316642 Version: d7d673a591701f131e53d4fd4e2b9352f1316642 Version: d7d673a591701f131e53d4fd4e2b9352f1316642 Version: d7d673a591701f131e53d4fd4e2b9352f1316642 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2bee43b451615531ae6f3cf45054f02915ef885",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "b07630afe1671096dc64064190cae3b6165cf6e4",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "9df3c241fbf69edce968b20eeeeb3f6da34af041",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "1b9e5ade272f8be6421c9eea4c4f6810180017f9",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "2bb8bc99b1a7a46d83f95c46f530305f6df84eaf",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "295527bfdefd5bf31ec8218e2891a65777141d05",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "4891bf2b09c313622a6e07d7f108aa5e123c768d",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "9b3d15a758910bb98ba8feb4109d99cc67450ee4",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()\n\nThe syzbot reported issue in hfsplus_delete_cat():\n\n[ 70.682285][ T9333] =====================================================\n[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220\n[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220\n[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0\n[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310\n[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810\n[ 70.685447][ T9333] do_rmdir+0x964/0xea0\n[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0\n[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0\n[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.687646][ T9333]\n[ 70.687856][ T9333] Uninit was stored to memory at:\n[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0\n[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800\n[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600\n[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70\n[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0\n[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30\n[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0\n[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0\n[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.692773][ T9333]\n[ 70.692990][ T9333] Uninit was stored to memory at:\n[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0\n[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800\n[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700\n[ 70.694911][ T9333] mount_bdev+0x37b/0x530\n[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60\n[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0\n[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0\n[ 70.696588][ T9333] do_new_mount+0x73e/0x1630\n[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0\n[ 70.697425][ T9333] __se_sys_mount+0x733/0x830\n[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150\n[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0\n[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.699730][ T9333]\n[ 70.699946][ T9333] Uninit was created at:\n[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60\n[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0\n[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0\n[ 70.701774][ T9333] allocate_slab+0x30e/0x1390\n[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0\n[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20\n[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0\n[ 70.703598][ T9333] alloc_inode+0x82/0x490\n[ 70.703984][ T9333] iget_locked+0x22e/0x1320\n[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0\n[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0\n[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700\n[ 70.705776][ T9333] mount_bdev+0x37b/0x530\n[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60\n[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0\n[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0\n[ 70.707444][ T9333] do_new_mount+0x73e/0x1630\n[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0\n[ 70.708270][ T9333] __se_sys_mount+0x733/0x830\n[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150\n[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0\n[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.710611][ T9333]\n[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17\n[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.712490][ T9333] =====================================================\n[ 70.713085][ T9333] Disabling lock debugging due to kernel taint\n[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...\n[ 70.714159][ T9333] \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:46.209Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2bee43b451615531ae6f3cf45054f02915ef885"
},
{
"url": "https://git.kernel.org/stable/c/b07630afe1671096dc64064190cae3b6165cf6e4"
},
{
"url": "https://git.kernel.org/stable/c/9df3c241fbf69edce968b20eeeeb3f6da34af041"
},
{
"url": "https://git.kernel.org/stable/c/1b9e5ade272f8be6421c9eea4c4f6810180017f9"
},
{
"url": "https://git.kernel.org/stable/c/2bb8bc99b1a7a46d83f95c46f530305f6df84eaf"
},
{
"url": "https://git.kernel.org/stable/c/295527bfdefd5bf31ec8218e2891a65777141d05"
},
{
"url": "https://git.kernel.org/stable/c/4891bf2b09c313622a6e07d7f108aa5e123c768d"
},
{
"url": "https://git.kernel.org/stable/c/9b3d15a758910bb98ba8feb4109d99cc67450ee4"
}
],
"title": "hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40351",
"datePublished": "2025-12-16T13:30:24.764Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:46.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68797 (GCVE-0-2025-68797)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
char: applicom: fix NULL pointer dereference in ac_ioctl
Discovered by Atuin - Automated Vulnerability Discovery Engine.
In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.
If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.
Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/applicom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a6240804fb7bbd4f5f6e706955248a6f4c1abbc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d1b0452280029d05a98c75631131ee61c0b0d084",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b8b353e09888bccee405e0dd6feafb60360f478",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d285517429a75423789e6408653e57b6fdfc8e54",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "74883565c621eec6cd2e35fe6d27454cf2810c23",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f83e3e9f89181b42f6076a115d767a7552c4a39e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82d12088c297fa1cef670e1718b3d24f414c23f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/applicom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: applicom: fix NULL pointer dereference in ac_ioctl\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nIn ac_ioctl, the validation of IndexCard and the check for a valid\nRamIO pointer are skipped when cmd is 6. However, the function\nunconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the\nend.\n\nIf cmd is 6, IndexCard may reference a board that does not exist\n(where RamIO is NULL), leading to a NULL pointer dereference.\n\nFix this by skipping the readb access when cmd is 6, as this\ncommand is a global information query and does not target a specific\nboard context."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:45.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc"
},
{
"url": "https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084"
},
{
"url": "https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478"
},
{
"url": "https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54"
},
{
"url": "https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23"
},
{
"url": "https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e"
},
{
"url": "https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7"
}
],
"title": "char: applicom: fix NULL pointer dereference in ac_ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68797",
"datePublished": "2026-01-13T15:29:07.575Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-02-09T08:33:45.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40223 (GCVE-0-2025-40223)
Vulnerability from cvelistv5
Published
2025-12-04 15:31
Modified
2025-12-04 15:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: Fix use-after-free in hdm_disconnect
hdm_disconnect() calls most_deregister_interface(), which eventually
unregisters the MOST interface device with device_unregister(iface->dev).
If that drops the last reference, the device core may call release_mdev()
immediately while hdm_disconnect() is still executing.
The old code also freed several mdev-owned allocations in
hdm_disconnect() and then performed additional put_device() calls.
Depending on refcount order, this could lead to use-after-free or
double-free when release_mdev() ran (or when unregister paths also
performed puts).
Fix by moving the frees of mdev-owned allocations into release_mdev(),
so they happen exactly once when the device is truly released, and by
dropping the extra put_device() calls in hdm_disconnect() that are
redundant after device_unregister() and most_deregister_interface().
This addresses the KASAN slab-use-after-free reported by syzbot in
hdm_disconnect(). See report and stack traces in the bug link below.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d Version: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "578eb18cd111addec94c43f61cd4b4429e454809",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "33daf469f5294b9d07c4fc98216cace9f4f34cc6",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "72427dc6f87523995f4e6ae35a948bb2992cabce",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "f93a84ffb884d761a9d4e869ba29c238711e81f1",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "4b1270902609ef0d935ed2faa2ea6d122bd148f5",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: Fix use-after-free in hdm_disconnect\n\nhdm_disconnect() calls most_deregister_interface(), which eventually\nunregisters the MOST interface device with device_unregister(iface-\u003edev).\nIf that drops the last reference, the device core may call release_mdev()\nimmediately while hdm_disconnect() is still executing.\n\nThe old code also freed several mdev-owned allocations in\nhdm_disconnect() and then performed additional put_device() calls.\nDepending on refcount order, this could lead to use-after-free or\ndouble-free when release_mdev() ran (or when unregister paths also\nperformed puts).\n\nFix by moving the frees of mdev-owned allocations into release_mdev(),\nso they happen exactly once when the device is truly released, and by\ndropping the extra put_device() calls in hdm_disconnect() that are\nredundant after device_unregister() and most_deregister_interface().\n\nThis addresses the KASAN slab-use-after-free reported by syzbot in\nhdm_disconnect(). See report and stack traces in the bug link below."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:15.158Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831"
},
{
"url": "https://git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809"
},
{
"url": "https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6"
},
{
"url": "https://git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabce"
},
{
"url": "https://git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1"
},
{
"url": "https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6"
},
{
"url": "https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5"
}
],
"title": "most: usb: Fix use-after-free in hdm_disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40223",
"datePublished": "2025-12-04T15:31:15.158Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:15.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68362 (GCVE-0-2025-68362)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.
If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.
Add length checks for both rtl8187 and rtl8187b descriptor headers
before attempting to access them, dropping the packet cleanly if the
check fails.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c Version: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c Version: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c Version: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c Version: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c Version: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c Version: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c Version: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "118e12bf3e4288cf845cd3759bd9d4c99f91aab5",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "6a96bd0d94305fd04a6ac64446ec113bae289384",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "e2f3ea15e804607e0a4a34a2f6c331c8750b68bc",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "dc153401fb26c1640a2b279c47b65e1c416af276",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "4758770a673c60d8f615809304d72e1432fa6355",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "638d4148e166d114a4cd7becaae992ce1a815ed8",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "b647d2574e4583c2e3b0ab35568f60c88e910840",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()\n\nThe rtl8187_rx_cb() calculates the rx descriptor header address\nby subtracting its size from the skb tail pointer.\nHowever, it does not validate if the received packet\n(skb-\u003elen from urb-\u003eactual_length) is large enough to contain this\nheader.\n\nIf a truncated packet is received, this will lead to a buffer\nunderflow, reading memory before the start of the skb data area,\nand causing a kernel panic.\n\nAdd length checks for both rtl8187 and rtl8187b descriptor headers\nbefore attempting to access them, dropping the packet cleanly if the\ncheck fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:57.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/118e12bf3e4288cf845cd3759bd9d4c99f91aab5"
},
{
"url": "https://git.kernel.org/stable/c/6a96bd0d94305fd04a6ac64446ec113bae289384"
},
{
"url": "https://git.kernel.org/stable/c/e2f3ea15e804607e0a4a34a2f6c331c8750b68bc"
},
{
"url": "https://git.kernel.org/stable/c/dc153401fb26c1640a2b279c47b65e1c416af276"
},
{
"url": "https://git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355"
},
{
"url": "https://git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8"
},
{
"url": "https://git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15"
},
{
"url": "https://git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840"
}
],
"title": "wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68362",
"datePublished": "2025-12-24T10:32:50.492Z",
"dateReserved": "2025-12-16T14:48:05.307Z",
"dateUpdated": "2026-02-09T08:31:57.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39943 (GCVE-0-2025-39943)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer
If data_offset and data_length of smb_direct_data_transfer struct are
invalid, out of bounds issue could happen.
This patch validate data_offset and data_length field in recv_done.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 Version: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 Version: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 Version: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 Version: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 Version: 2ea086e35c3d726a3bacd0a971c1f02a50e98206 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "773fddf976d282ef059c36c575ddb81567acd6bc",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "bdaab5c6538e250a9654127e688ecbbeb6f771d5",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "eb0378dde086363046ed3d7db7f126fc3f76fd70",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "8be498fcbd5b07272f560b45981d4b9e5a2ad885",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "529b121b00a6ee3c88fb3c01b443b2b81f686d48",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
},
{
"lessThan": "5282491fc49d5614ac6ddcd012e5743eecb6a67c",
"status": "affected",
"version": "2ea086e35c3d726a3bacd0a971c1f02a50e98206",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer\n\nIf data_offset and data_length of smb_direct_data_transfer struct are\ninvalid, out of bounds issue could happen.\nThis patch validate data_offset and data_length field in recv_done."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:03.203Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/773fddf976d282ef059c36c575ddb81567acd6bc"
},
{
"url": "https://git.kernel.org/stable/c/bdaab5c6538e250a9654127e688ecbbeb6f771d5"
},
{
"url": "https://git.kernel.org/stable/c/eb0378dde086363046ed3d7db7f126fc3f76fd70"
},
{
"url": "https://git.kernel.org/stable/c/8be498fcbd5b07272f560b45981d4b9e5a2ad885"
},
{
"url": "https://git.kernel.org/stable/c/529b121b00a6ee3c88fb3c01b443b2b81f686d48"
},
{
"url": "https://git.kernel.org/stable/c/5282491fc49d5614ac6ddcd012e5743eecb6a67c"
}
],
"title": "ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39943",
"datePublished": "2025-10-04T07:31:05.581Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:03.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39911 (GCVE-0-2025-39911)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration
later than the first, the error path wants to free the IRQs requested
so far. However, it uses the wrong dev_id argument for free_irq(), so
it does not free the IRQs correctly and instead triggers the warning:
Trying to free already-free IRQ 173
WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0
Modules linked in: i40e(+) [...]
CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: [...]
RIP: 0010:__free_irq+0x192/0x2c0
[...]
Call Trace:
<TASK>
free_irq+0x32/0x70
i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]
i40e_vsi_request_irq+0x79/0x80 [i40e]
i40e_vsi_open+0x21f/0x2f0 [i40e]
i40e_open+0x63/0x130 [i40e]
__dev_open+0xfc/0x210
__dev_change_flags+0x1fc/0x240
netif_change_flags+0x27/0x70
do_setlink.isra.0+0x341/0xc70
rtnl_newlink+0x468/0x860
rtnetlink_rcv_msg+0x375/0x450
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x288/0x3c0
netlink_sendmsg+0x20d/0x430
____sys_sendmsg+0x3a2/0x3d0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x82/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[...]
</TASK>
---[ end trace 0000000000000000 ]---
Use the same dev_id for free_irq() as for request_irq().
I tested this with inserting code to fail intentionally.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:36.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13ab9adef3cd386511c930a9660ae06595007f89",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "6e4016c0dca53afc71e3b99e24252b63417395df",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "b9721a023df38cf44a88f2739b4cf51efd051f85",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "b905b2acb3a0bbb08ad9be9984d8cdabdf827315",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "23431998a37764c464737b855c71a81d50992e98",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "a30afd6617c30aaa338d1dbcb1e34e7a1890085c",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "c62580674ce5feb1be4f90b5873ff3ce50e0a1db",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "915470e1b44e71d1dd07ee067276f003c3521ee3",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path\n\nIf request_irq() in i40e_vsi_request_irq_msix() fails in an iteration\nlater than the first, the error path wants to free the IRQs requested\nso far. However, it uses the wrong dev_id argument for free_irq(), so\nit does not free the IRQs correctly and instead triggers the warning:\n\n Trying to free already-free IRQ 173\n WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0\n Modules linked in: i40e(+) [...]\n CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:__free_irq+0x192/0x2c0\n [...]\n Call Trace:\n \u003cTASK\u003e\n free_irq+0x32/0x70\n i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]\n i40e_vsi_request_irq+0x79/0x80 [i40e]\n i40e_vsi_open+0x21f/0x2f0 [i40e]\n i40e_open+0x63/0x130 [i40e]\n __dev_open+0xfc/0x210\n __dev_change_flags+0x1fc/0x240\n netif_change_flags+0x27/0x70\n do_setlink.isra.0+0x341/0xc70\n rtnl_newlink+0x468/0x860\n rtnetlink_rcv_msg+0x375/0x450\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x288/0x3c0\n netlink_sendmsg+0x20d/0x430\n ____sys_sendmsg+0x3a2/0x3d0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x82/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nUse the same dev_id for free_irq() as for request_irq().\n\nI tested this with inserting code to fail intentionally."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:41.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13ab9adef3cd386511c930a9660ae06595007f89"
},
{
"url": "https://git.kernel.org/stable/c/6e4016c0dca53afc71e3b99e24252b63417395df"
},
{
"url": "https://git.kernel.org/stable/c/b9721a023df38cf44a88f2739b4cf51efd051f85"
},
{
"url": "https://git.kernel.org/stable/c/b905b2acb3a0bbb08ad9be9984d8cdabdf827315"
},
{
"url": "https://git.kernel.org/stable/c/23431998a37764c464737b855c71a81d50992e98"
},
{
"url": "https://git.kernel.org/stable/c/a30afd6617c30aaa338d1dbcb1e34e7a1890085c"
},
{
"url": "https://git.kernel.org/stable/c/c62580674ce5feb1be4f90b5873ff3ce50e0a1db"
},
{
"url": "https://git.kernel.org/stable/c/915470e1b44e71d1dd07ee067276f003c3521ee3"
}
],
"title": "i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39911",
"datePublished": "2025-10-01T07:44:34.561Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:36.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68366 (GCVE-0-2025-68366)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "330d688a5ca53857828081a3cf31b92ad1b0b3ed",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "cd93db1b1b4460e6ee77564024ea461e5940f69c",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "ae3e7bc1f4b393ae20e5c85583eb2c6977374716",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "2e5e0665a594f076ef2b9439447bae8be293d09d",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9b99c948b4fb014812afe7b5ccf2db121d22e46",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "9a38306643874566d20f7aba7dff9e6f657b51a9",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9e805f6a35d1dd189a9345595a5c20e87611942",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "1649714b930f9ea6233ce0810ba885999da3b5d4",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config unlock in nbd_genl_connect\n\nThere is one use-after-free warning when running NBD_CMD_CONNECT and\nNBD_CLEAR_SOCK:\n\nnbd_genl_connect\n nbd_alloc_and_init_config // config_refs=1\n nbd_start_device // config_refs=2\n set NBD_RT_HAS_CONFIG_REF\t\t\topen nbd // config_refs=3\n recv_work done // config_refs=2\n\t\t\t\t\t\tNBD_CLEAR_SOCK // config_refs=1\n\t\t\t\t\t\tclose nbd // config_refs=0\n refcount_inc -\u003e uaf\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290\n nbd_genl_connect+0x16d0/0x1ab0\n genl_family_rcv_msg_doit+0x1f3/0x310\n genl_rcv_msg+0x44a/0x790\n\nThe issue can be easily reproduced by adding a small delay before\nrefcount_inc(\u0026nbd-\u003econfig_refs) in nbd_genl_connect():\n\n mutex_unlock(\u0026nbd-\u003econfig_lock);\n if (!ret) {\n set_bit(NBD_RT_HAS_CONFIG_REF, \u0026config-\u003eruntime_flags);\n+ printk(\"before sleep\\n\");\n+ mdelay(5 * 1000);\n+ printk(\"after sleep\\n\");\n refcount_inc(\u0026nbd-\u003econfig_refs);\n nbd_connect_reply(info, nbd-\u003eindex);\n }"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:02.582Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/330d688a5ca53857828081a3cf31b92ad1b0b3ed"
},
{
"url": "https://git.kernel.org/stable/c/cd93db1b1b4460e6ee77564024ea461e5940f69c"
},
{
"url": "https://git.kernel.org/stable/c/ae3e7bc1f4b393ae20e5c85583eb2c6977374716"
},
{
"url": "https://git.kernel.org/stable/c/2e5e0665a594f076ef2b9439447bae8be293d09d"
},
{
"url": "https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46"
},
{
"url": "https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9"
},
{
"url": "https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942"
},
{
"url": "https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4"
}
],
"title": "nbd: defer config unlock in nbd_genl_connect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68366",
"datePublished": "2025-12-24T10:32:53.399Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-02-09T08:32:02.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22991 (GCVE-0-2026-22991)
Vulnerability from cvelistv5
Published
2026-01-23 15:24
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make free_choose_arg_map() resilient to partial allocation
free_choose_arg_map() may dereference a NULL pointer if its caller fails
after a partial allocation.
For example, in decode_choose_args(), if allocation of arg_map->args
fails, execution jumps to the fail label and free_choose_arg_map() is
called. Since arg_map->size is updated to a non-zero value before memory
allocation, free_choose_arg_map() will iterate over arg_map->args and
dereference a NULL pointer.
To prevent this potential NULL pointer dereference and make
free_choose_arg_map() more resilient, add checks for pointers before
iterating.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5cf9c4a9959b6273675310d14a834ef14fbca37c Version: 5cf9c4a9959b6273675310d14a834ef14fbca37c Version: 5cf9c4a9959b6273675310d14a834ef14fbca37c Version: 5cf9c4a9959b6273675310d14a834ef14fbca37c Version: 5cf9c4a9959b6273675310d14a834ef14fbca37c Version: 5cf9c4a9959b6273675310d14a834ef14fbca37c Version: 5cf9c4a9959b6273675310d14a834ef14fbca37c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b3730dabcf3764bfe3ff07caf55e641a0b45234",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "851241d3f78a5505224dc21c03d8692f530256b4",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "ec1850f663da64842614c86b20fe734be070c2ba",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "8081faaf089db5280c3be820948469f7c58ef8dd",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "f21c3fdb96833aac2f533506899fe38c19cf49d5",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "e3fe30e57649c551757a02e1cad073c47e1e075e",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map-\u003eargs\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map-\u003esize is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map-\u003eargs and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:42.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234"
},
{
"url": "https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4"
},
{
"url": "https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba"
},
{
"url": "https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd"
},
{
"url": "https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf"
},
{
"url": "https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5"
},
{
"url": "https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e"
}
],
"title": "libceph: make free_choose_arg_map() resilient to partial allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22991",
"datePublished": "2026-01-23T15:24:12.191Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:42.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39913 (GCVE-0-2025-39913)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.
syzbot reported the splat below. [0]
The repro does the following:
1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)
2. Attach the prog to a SOCKMAP
3. Add a socket to the SOCKMAP
4. Activate fault injection
5. Send data less than cork_bytes
At 5., the data is carried over to the next sendmsg() as it is
smaller than the cork_bytes specified by bpf_msg_cork_bytes().
Then, tcp_bpf_send_verdict() tries to allocate psock->cork to hold
the data, but this fails silently due to fault injection + __GFP_NOWARN.
If the allocation fails, we need to revert the sk->sk_forward_alloc
change done by sk_msg_alloc().
Let's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate
psock->cork.
The "*copied" also needs to be updated such that a proper error can
be returned to the caller, sendmsg. It fails to allocate psock->cork.
Nothing has been corked so far, so this patch simply sets "*copied"
to 0.
[0]:
WARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983
Modules linked in:
CPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156
Code: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc
RSP: 0018:ffffc90000a08b48 EFLAGS: 00010246
RAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80
RDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000
RBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4
R10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380
R13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872
FS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0
Call Trace:
<IRQ>
__sk_destruct+0x86/0x660 net/core/sock.c:2339
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:36.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08f58d10f5abf11d297cc910754922498c921f91",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "05366527f44cf4b884f3d9462ae8009be9665856",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "7429b8b9bfbc276fd304fbaebc405f46b421fedf",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "9c2a6456bdf9794474460d885c359b6c4522d6e3",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "66bcb04a441fbf15d66834b7e3eefb313dd750c8",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "539920180c55f5e13a2488a2339f94e6b8cb69e0",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "de89e58368f8f07df005ecc1c86ad94898a999f2",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "a3967baad4d533dc254c31e0d221e51c8d223d58",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork.\n\nsyzbot reported the splat below. [0]\n\nThe repro does the following:\n\n 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)\n 2. Attach the prog to a SOCKMAP\n 3. Add a socket to the SOCKMAP\n 4. Activate fault injection\n 5. Send data less than cork_bytes\n\nAt 5., the data is carried over to the next sendmsg() as it is\nsmaller than the cork_bytes specified by bpf_msg_cork_bytes().\n\nThen, tcp_bpf_send_verdict() tries to allocate psock-\u003ecork to hold\nthe data, but this fails silently due to fault injection + __GFP_NOWARN.\n\nIf the allocation fails, we need to revert the sk-\u003esk_forward_alloc\nchange done by sk_msg_alloc().\n\nLet\u0027s call sk_msg_free() when tcp_bpf_send_verdict fails to allocate\npsock-\u003ecork.\n\nThe \"*copied\" also needs to be updated such that a proper error can\nbe returned to the caller, sendmsg. It fails to allocate psock-\u003ecork.\nNothing has been corked so far, so this patch simply sets \"*copied\"\nto 0.\n\n[0]:\nWARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983\nModules linked in:\nCPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156\nCode: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 \u003c0f\u003e 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc\nRSP: 0018:ffffc90000a08b48 EFLAGS: 00010246\nRAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80\nRDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000\nRBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4\nR10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380\nR13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872\nFS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0\nCall Trace:\n \u003cIRQ\u003e\n __sk_destruct+0x86/0x660 net/core/sock.c:2339\n rcu_do_batch kernel/rcu/tree.c:2605 [inline]\n rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861\n handle_softirqs+0x286/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:46.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08f58d10f5abf11d297cc910754922498c921f91"
},
{
"url": "https://git.kernel.org/stable/c/05366527f44cf4b884f3d9462ae8009be9665856"
},
{
"url": "https://git.kernel.org/stable/c/7429b8b9bfbc276fd304fbaebc405f46b421fedf"
},
{
"url": "https://git.kernel.org/stable/c/9c2a6456bdf9794474460d885c359b6c4522d6e3"
},
{
"url": "https://git.kernel.org/stable/c/66bcb04a441fbf15d66834b7e3eefb313dd750c8"
},
{
"url": "https://git.kernel.org/stable/c/539920180c55f5e13a2488a2339f94e6b8cb69e0"
},
{
"url": "https://git.kernel.org/stable/c/de89e58368f8f07df005ecc1c86ad94898a999f2"
},
{
"url": "https://git.kernel.org/stable/c/a3967baad4d533dc254c31e0d221e51c8d223d58"
}
],
"title": "tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39913",
"datePublished": "2025-10-01T07:44:36.244Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:36.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40200 (GCVE-0-2025-40200)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-12-01 06:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: reject negative file sizes in squashfs_read_inode()
Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.
This commit checks for a negative file size and returns EINVAL.
[phillip@squashfs.org.uk: only need to check 64 bit quantity]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54170057a5fadd24a37b70de41e61d39284d9bd7",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "2871c74caa3f4f05b429e6bfefebac62dbf1b408",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "fbfc745db628de31f5c089147deeb87e95b89e66",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8118f66124895829443d09c207e654adcb2f9321",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8c7aad76751816207fee556d44aa88a710824810",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "875fb3f87ae0225b881319ba016a1a8c4ffd5812",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "f271155ff31aca8ef82c61c8df23ca97e9a77dd4",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: reject negative file sizes in squashfs_read_inode()\n\nSyskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs.\n\nThis warning is ultimately caused because the underlying Squashfs file\nsystem returns a file with a negative file size.\n\nThis commit checks for a negative file size and returns EINVAL.\n\n[phillip@squashfs.org.uk: only need to check 64 bit quantity]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:02.406Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54170057a5fadd24a37b70de41e61d39284d9bd7"
},
{
"url": "https://git.kernel.org/stable/c/2871c74caa3f4f05b429e6bfefebac62dbf1b408"
},
{
"url": "https://git.kernel.org/stable/c/fbfc745db628de31f5c089147deeb87e95b89e66"
},
{
"url": "https://git.kernel.org/stable/c/8118f66124895829443d09c207e654adcb2f9321"
},
{
"url": "https://git.kernel.org/stable/c/8c7aad76751816207fee556d44aa88a710824810"
},
{
"url": "https://git.kernel.org/stable/c/875fb3f87ae0225b881319ba016a1a8c4ffd5812"
},
{
"url": "https://git.kernel.org/stable/c/f271155ff31aca8ef82c61c8df23ca97e9a77dd4"
},
{
"url": "https://git.kernel.org/stable/c/9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b"
}
],
"title": "Squashfs: reject negative file sizes in squashfs_read_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40200",
"datePublished": "2025-11-12T21:56:33.783Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:20:02.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68763 (GCVE-0-2025-68763)
Vulnerability from cvelistv5
Published
2026-01-05 09:32
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: starfive - Correctly handle return of sg_nents_for_len
The return value of sg_nents_for_len was assigned to an unsigned long
in starfive_hash_digest, causing negative error codes to be converted
to large positive integers.
Add error checking for sg_nents_for_len and return immediately on
failure to prevent potential buffer overflows.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/starfive/jh7110-hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cd14414394b4f3d6e1ed64b8241d1fcc2271820",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "0c3854d65cc4402cb8c52d4d773450a06efecab6",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "1af5c973dd744e29fa22121f43e8646b7a7a71a7",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "9b3f71cf02e04cfaa482155e3078707fe7f8aef4",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "e9eb52037a529fbb307c290e9951a62dd728b03d",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/starfive/jh7110-hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: starfive - Correctly handle return of sg_nents_for_len\n\nThe return value of sg_nents_for_len was assigned to an unsigned long\nin starfive_hash_digest, causing negative error codes to be converted\nto large positive integers.\n\nAdd error checking for sg_nents_for_len and return immediately on\nfailure to prevent potential buffer overflows."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:07.993Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cd14414394b4f3d6e1ed64b8241d1fcc2271820"
},
{
"url": "https://git.kernel.org/stable/c/0c3854d65cc4402cb8c52d4d773450a06efecab6"
},
{
"url": "https://git.kernel.org/stable/c/1af5c973dd744e29fa22121f43e8646b7a7a71a7"
},
{
"url": "https://git.kernel.org/stable/c/9b3f71cf02e04cfaa482155e3078707fe7f8aef4"
},
{
"url": "https://git.kernel.org/stable/c/e9eb52037a529fbb307c290e9951a62dd728b03d"
}
],
"title": "crypto: starfive - Correctly handle return of sg_nents_for_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68763",
"datePublished": "2026-01-05T09:32:35.678Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:07.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23133 (GCVE-0-2026-23133)
Vulnerability from cvelistv5
Published
2026-02-14 15:14
Modified
2026-02-14 15:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 Version: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 Version: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 Version: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 Version: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 Version: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 Version: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2dda298ef809aa201ea7c0904c4d064f6c497cb",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "fc8da65f9fe1bc6802f8240b342cfff4f5c7e841",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "b0ad924332a96550a84b8c0ae5483e7042d65fa9",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "1928851334ecfd6e0d663121ab69ac639d4217a6",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "5d6fa4d2c9799c09389588da5118a72d97d87e92",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "07f363f305793baecad41816f73056252f3df61e",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:14:33.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2dda298ef809aa201ea7c0904c4d064f6c497cb"
},
{
"url": "https://git.kernel.org/stable/c/fc8da65f9fe1bc6802f8240b342cfff4f5c7e841"
},
{
"url": "https://git.kernel.org/stable/c/b0ad924332a96550a84b8c0ae5483e7042d65fa9"
},
{
"url": "https://git.kernel.org/stable/c/1928851334ecfd6e0d663121ab69ac639d4217a6"
},
{
"url": "https://git.kernel.org/stable/c/5d6fa4d2c9799c09389588da5118a72d97d87e92"
},
{
"url": "https://git.kernel.org/stable/c/07f363f305793baecad41816f73056252f3df61e"
},
{
"url": "https://git.kernel.org/stable/c/9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f"
}
],
"title": "wifi: ath10k: fix dma_free_coherent() pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23133",
"datePublished": "2026-02-14T15:14:33.102Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:14:33.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68778 (GCVE-0-2025-68778)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
We can't log a conflicting inode if it's a directory and it was moved
from one parent directory to another parent directory in the current
transaction, as this can result an attempt to have a directory with
two hard links during log replay, one for the old parent directory and
another for the new parent directory.
The following scenario triggers that issue:
1) We have directories "dir1" and "dir2" created in a past transaction.
Directory "dir1" has inode A as its parent directory;
2) We move "dir1" to some other directory;
3) We create a file with the name "dir1" in directory inode A;
4) We fsync the new file. This results in logging the inode of the new file
and the inode for the directory "dir1" that was previously moved in the
current transaction. So the log tree has the INODE_REF item for the
new location of "dir1";
5) We move the new file to some other directory. This results in updating
the log tree to included the new INODE_REF for the new location of the
file and removes the INODE_REF for the old location. This happens
during the rename when we call btrfs_log_new_name();
6) We fsync the file, and that persists the log tree changes done in the
previous step (btrfs_log_new_name() only updates the log tree in
memory);
7) We have a power failure;
8) Next time the fs is mounted, log replay happens and when processing
the inode for directory "dir1" we find a new INODE_REF and add that
link, but we don't remove the old link of the inode since we have
not logged the old parent directory of the directory inode "dir1".
As a result after log replay finishes when we trigger writeback of the
subvolume tree's extent buffers, the tree check will detect that we have
a directory a hard link count of 2 and we get a mount failure.
The errors and stack traces reported in dmesg/syslog are like this:
[ 3845.729764] BTRFS info (device dm-0): start tree-log replay
[ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c
[ 3845.731236] memcg:ffff9264c02f4e00
[ 3845.731751] aops:btree_aops [btrfs] ino:1
[ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8
[ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00
[ 3845.735305] page dumped because: eb page dump
[ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir
[ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5
[ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701
[ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384
[ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0
[ 3845.737797] rdev 0 sequence 2 flags 0x0
[ 3845.737798] atime 1764259517.0
[ 3845.737800] ctime 1764259517.572889464
[ 3845.737801] mtime 1764259517.572889464
[ 3845.737802] otime 1764259517.0
[ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[ 3845.737805] index 0 name_len 2
[ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34
[ 3845.737808] location key (257 1 0) type 2
[ 3845.737810] transid 9 data_len 0 name_len 4
[ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34
[ 3845.737813] location key (258 1 0) type 2
[ 3845.737814] transid 9 data_len 0 name_len 4
[ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[ 3845.737816] location key (257 1 0) type 2
[
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d64f3834dffef80f0a9185a037617a54ed7f4bd2",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "7359e1d39c78816ecbdb0cb4e93975794ce53973",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "d478f50727c3ee46d0359f0d2ae114f70191816e",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "a35788ddf8df65837897ecbb0ddb2896b863159e",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "266273eaf4d99475f1ae57f687b3e42bc71ec6f0",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction\n\nWe can\u0027t log a conflicting inode if it\u0027s a directory and it was moved\nfrom one parent directory to another parent directory in the current\ntransaction, as this can result an attempt to have a directory with\ntwo hard links during log replay, one for the old parent directory and\nanother for the new parent directory.\n\nThe following scenario triggers that issue:\n\n1) We have directories \"dir1\" and \"dir2\" created in a past transaction.\n Directory \"dir1\" has inode A as its parent directory;\n\n2) We move \"dir1\" to some other directory;\n\n3) We create a file with the name \"dir1\" in directory inode A;\n\n4) We fsync the new file. This results in logging the inode of the new file\n and the inode for the directory \"dir1\" that was previously moved in the\n current transaction. So the log tree has the INODE_REF item for the\n new location of \"dir1\";\n\n5) We move the new file to some other directory. This results in updating\n the log tree to included the new INODE_REF for the new location of the\n file and removes the INODE_REF for the old location. This happens\n during the rename when we call btrfs_log_new_name();\n\n6) We fsync the file, and that persists the log tree changes done in the\n previous step (btrfs_log_new_name() only updates the log tree in\n memory);\n\n7) We have a power failure;\n\n8) Next time the fs is mounted, log replay happens and when processing\n the inode for directory \"dir1\" we find a new INODE_REF and add that\n link, but we don\u0027t remove the old link of the inode since we have\n not logged the old parent directory of the directory inode \"dir1\".\n\nAs a result after log replay finishes when we trigger writeback of the\nsubvolume tree\u0027s extent buffers, the tree check will detect that we have\na directory a hard link count of 2 and we get a mount failure.\nThe errors and stack traces reported in dmesg/syslog are like this:\n\n [ 3845.729764] BTRFS info (device dm-0): start tree-log replay\n [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c\n [ 3845.731236] memcg:ffff9264c02f4e00\n [ 3845.731751] aops:btree_aops [btrfs] ino:1\n [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\n [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8\n [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00\n [ 3845.735305] page dumped because: eb page dump\n [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir\n [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5\n [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701\n [ 3845.737792] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\n [ 3845.737794] \t\tinode generation 3 transid 9 size 16 nbytes 16384\n [ 3845.737795] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0\n [ 3845.737797] \t\trdev 0 sequence 2 flags 0x0\n [ 3845.737798] \t\tatime 1764259517.0\n [ 3845.737800] \t\tctime 1764259517.572889464\n [ 3845.737801] \t\tmtime 1764259517.572889464\n [ 3845.737802] \t\totime 1764259517.0\n [ 3845.737803] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\n [ 3845.737805] \t\tindex 0 name_len 2\n [ 3845.737807] \titem 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34\n [ 3845.737808] \t\tlocation key (257 1 0) type 2\n [ 3845.737810] \t\ttransid 9 data_len 0 name_len 4\n [ 3845.737811] \titem 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34\n [ 3845.737813] \t\tlocation key (258 1 0) type 2\n [ 3845.737814] \t\ttransid 9 data_len 0 name_len 4\n [ 3845.737815] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\n [ 3845.737816] \t\tlocation key (257 1 0) type 2\n [\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:24.172Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2"
},
{
"url": "https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973"
},
{
"url": "https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e"
},
{
"url": "https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e"
},
{
"url": "https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0"
}
],
"title": "btrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68778",
"datePublished": "2026-01-13T15:28:54.107Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:24.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71078 (GCVE-0-2025-71078)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
On systems using the hash MMU, there is a software SLB preload cache that
mirrors the entries loaded into the hardware SLB buffer. This preload
cache is subject to periodic eviction — typically after every 256 context
switches — to remove old entry.
To optimize performance, the kernel skips switch_mmu_context() in
switch_mm_irqs_off() when the prev and next mm_struct are the same.
However, on hash MMU systems, this can lead to inconsistencies between
the hardware SLB and the software preload cache.
If an SLB entry for a process is evicted from the software cache on one
CPU, and the same process later runs on another CPU without executing
switch_mmu_context(), the hardware SLB may retain stale entries. If the
kernel then attempts to reload that entry, it can trigger an SLB
multi-hit error.
The following timeline shows how stale SLB entries are created and can
cause a multi-hit error when a process moves between CPUs without a
MMU context switch.
CPU 0 CPU 1
----- -----
Process P
exec swapper/1
load_elf_binary
begin_new_exc
activate_mm
switch_mm_irqs_off
switch_mmu_context
switch_slb
/*
* This invalidates all
* the entries in the HW
* and setup the new HW
* SLB entries as per the
* preload cache.
*/
context_switch
sched_migrate_task migrates process P to cpu-1
Process swapper/0 context switch (to process P)
(uses mm_struct of Process P) switch_mm_irqs_off()
switch_slb
load_slb++
/*
* load_slb becomes 0 here
* and we evict an entry from
* the preload cache with
* preload_age(). We still
* keep HW SLB and preload
* cache in sync, that is
* because all HW SLB entries
* anyways gets evicted in
* switch_slb during SLBIA.
* We then only add those
* entries back in HW SLB,
* which are currently
* present in preload_cache
* (after eviction).
*/
load_elf_binary continues...
setup_new_exec()
slb_setup_new_exec()
sched_switch event
sched_migrate_task migrates
process P to cpu-0
context_switch from swapper/0 to Process P
switch_mm_irqs_off()
/*
* Since both prev and next mm struct are same we don't call
* switch_mmu_context(). This will cause the HW SLB and SW preload
* cache to go out of sync in preload_new_slb_context. Because there
* was an SLB entry which was evicted from both HW and preload cache
* on cpu-1. Now later in preload_new_slb_context(), when we will try
* to add the same preload entry again, we will add this to the SW
* preload cache and then will add it to the HW SLB. Since on cpu-0
* this entry was never invalidated, hence adding this entry to the HW
* SLB will cause a SLB multi-hit error.
*/
load_elf_binary cont
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5434ae74629af58ad0fc27143a9ea435f7734410 Version: 5434ae74629af58ad0fc27143a9ea435f7734410 Version: 5434ae74629af58ad0fc27143a9ea435f7734410 Version: 5434ae74629af58ad0fc27143a9ea435f7734410 Version: 5434ae74629af58ad0fc27143a9ea435f7734410 Version: 5434ae74629af58ad0fc27143a9ea435f7734410 Version: 5434ae74629af58ad0fc27143a9ea435f7734410 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01324c0328181b94cf390bda22ff91c75126ea57",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "2e9a95d60f1df7b57618fd5ef057aef331575bd2",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "c9f865022a1823d814032a09906e91e4701a35fc",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "b13a3dbfa196af68eae2031f209743735ad416bf",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "895123c309a34d2cfccf7812b41e17261a3a6f37",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "4ae1e46d8a290319f33f71a2710a1382ba5431e8",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "00312419f0863964625d6dcda8183f96849412c6",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/slb: Fix SLB multihit issue during SLB preload\n\nOn systems using the hash MMU, there is a software SLB preload cache that\nmirrors the entries loaded into the hardware SLB buffer. This preload\ncache is subject to periodic eviction \u2014 typically after every 256 context\nswitches \u2014 to remove old entry.\n\nTo optimize performance, the kernel skips switch_mmu_context() in\nswitch_mm_irqs_off() when the prev and next mm_struct are the same.\nHowever, on hash MMU systems, this can lead to inconsistencies between\nthe hardware SLB and the software preload cache.\n\nIf an SLB entry for a process is evicted from the software cache on one\nCPU, and the same process later runs on another CPU without executing\nswitch_mmu_context(), the hardware SLB may retain stale entries. If the\nkernel then attempts to reload that entry, it can trigger an SLB\nmulti-hit error.\n\nThe following timeline shows how stale SLB entries are created and can\ncause a multi-hit error when a process moves between CPUs without a\nMMU context switch.\n\nCPU 0 CPU 1\n----- -----\nProcess P\nexec swapper/1\n load_elf_binary\n begin_new_exc\n activate_mm\n switch_mm_irqs_off\n switch_mmu_context\n switch_slb\n /*\n * This invalidates all\n * the entries in the HW\n * and setup the new HW\n * SLB entries as per the\n * preload cache.\n */\ncontext_switch\nsched_migrate_task migrates process P to cpu-1\n\nProcess swapper/0 context switch (to process P)\n(uses mm_struct of Process P) switch_mm_irqs_off()\n switch_slb\n load_slb++\n /*\n * load_slb becomes 0 here\n * and we evict an entry from\n * the preload cache with\n * preload_age(). We still\n * keep HW SLB and preload\n * cache in sync, that is\n * because all HW SLB entries\n * anyways gets evicted in\n * switch_slb during SLBIA.\n * We then only add those\n * entries back in HW SLB,\n * which are currently\n * present in preload_cache\n * (after eviction).\n */\n load_elf_binary continues...\n setup_new_exec()\n slb_setup_new_exec()\n\n sched_switch event\n sched_migrate_task migrates\n process P to cpu-0\n\ncontext_switch from swapper/0 to Process P\n switch_mm_irqs_off()\n /*\n * Since both prev and next mm struct are same we don\u0027t call\n * switch_mmu_context(). This will cause the HW SLB and SW preload\n * cache to go out of sync in preload_new_slb_context. Because there\n * was an SLB entry which was evicted from both HW and preload cache\n * on cpu-1. Now later in preload_new_slb_context(), when we will try\n * to add the same preload entry again, we will add this to the SW\n * preload cache and then will add it to the HW SLB. Since on cpu-0\n * this entry was never invalidated, hence adding this entry to the HW\n * SLB will cause a SLB multi-hit error.\n */\nload_elf_binary cont\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:29.368Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57"
},
{
"url": "https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2"
},
{
"url": "https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc"
},
{
"url": "https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf"
},
{
"url": "https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37"
},
{
"url": "https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8"
},
{
"url": "https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6"
}
],
"title": "powerpc/64s/slb: Fix SLB multihit issue during SLB preload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71078",
"datePublished": "2026-01-13T15:34:43.437Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:29.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41014 (GCVE-0-2024-41014)
Vulnerability from cvelistv5
Published
2024-07-29 06:37
Modified
2026-01-05 10:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: add bounds checking to xlog_recover_process_data
There is a lack of verification of the space occupied by fixed members
of xlog_op_header in the xlog_recover_process_data.
We can create a crafted image to trigger an out of bounds read by
following these steps:
1) Mount an image of xfs, and do some file operations to leave records
2) Before umounting, copy the image for subsequent steps to simulate
abnormal exit. Because umount will ensure that tail_blk and
head_blk are the same, which will result in the inability to enter
xlog_recover_process_data
3) Write a tool to parse and modify the copied image in step 2
4) Make the end of the xlog_op_header entries only 1 byte away from
xlog_rec_header->h_size
5) xlog_rec_header->h_num_logops++
6) Modify xlog_rec_header->h_crc
Fix:
Add a check to make sure there is sufficient space to access fixed members
of xlog_op_header.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:38:27.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:24:49.673152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:05.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_log_recover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1e3efe783365db59da88f08a2e0bfe1cc95b143",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7cd9f0a33e738cd58876f1bc8d6c1aa5bc4fc8c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb63435b7c7dc112b1ae1baea5486e0a6e27b196",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_log_recover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header-\u003eh_size\n 5) xlog_rec_header-\u003eh_num_logops++\n 6) Modify xlog_rec_header-\u003eh_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:37:21.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1e3efe783365db59da88f08a2e0bfe1cc95b143"
},
{
"url": "https://git.kernel.org/stable/c/7cd9f0a33e738cd58876f1bc8d6c1aa5bc4fc8c1"
},
{
"url": "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196"
}
],
"title": "xfs: add bounds checking to xlog_recover_process_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41014",
"datePublished": "2024-07-29T06:37:00.826Z",
"dateReserved": "2024-07-12T12:17:45.611Z",
"dateUpdated": "2026-01-05T10:37:21.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39972 (GCVE-0-2025-39972)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix idx validation in i40e_validate_queue_map
Ensure idx is within range of active/initialized TCs when iterating over
vf->ch[idx] in i40e_validate_queue_map().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 Version: c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6cb93a7ff208f324c7ec581d72995f80e115e0e",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "6f15a7b34fae75e745bdc2ec05e06ddfd0dd2f3c",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "34dfac0c904829967d500c51f216916ce1452957",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "4d5e804a9e19b639b18fd13664dbad3c03c79e61",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "50a1e2f50f6c22b93b94eb8d168a1be3c05bf5cd",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "cc4191e8ef40d2249c1b9a8617d22ec8a976b574",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "d4e3eaaa3cb3af77836d806c89cd6ebf533a7320",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
},
{
"lessThan": "aa68d3c3ac8d1dcec40d52ae27e39f6d32207009",
"status": "affected",
"version": "c27eac48160de72dee33d42b5a33cc7b8a2eb1f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in i40e_validate_queue_map\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf-\u003ech[idx] in i40e_validate_queue_map()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:54.929Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6cb93a7ff208f324c7ec581d72995f80e115e0e"
},
{
"url": "https://git.kernel.org/stable/c/6f15a7b34fae75e745bdc2ec05e06ddfd0dd2f3c"
},
{
"url": "https://git.kernel.org/stable/c/34dfac0c904829967d500c51f216916ce1452957"
},
{
"url": "https://git.kernel.org/stable/c/4d5e804a9e19b639b18fd13664dbad3c03c79e61"
},
{
"url": "https://git.kernel.org/stable/c/50a1e2f50f6c22b93b94eb8d168a1be3c05bf5cd"
},
{
"url": "https://git.kernel.org/stable/c/cc4191e8ef40d2249c1b9a8617d22ec8a976b574"
},
{
"url": "https://git.kernel.org/stable/c/d4e3eaaa3cb3af77836d806c89cd6ebf533a7320"
},
{
"url": "https://git.kernel.org/stable/c/aa68d3c3ac8d1dcec40d52ae27e39f6d32207009"
}
],
"title": "i40e: fix idx validation in i40e_validate_queue_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39972",
"datePublished": "2025-10-15T07:55:54.929Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:54.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-71141 (GCVE-0-2025-71141)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tilcdc: Fix removal actions in case of failed probe
The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers
should only be called when the device has been successfully registered.
Currently, these functions are called unconditionally in tilcdc_fini(),
which causes warnings during probe deferral scenarios.
[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68
...
[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108
[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8
[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144
[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc]
[ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]
Fix this by rewriting the failed probe cleanup path using the standard
goto error handling pattern, which ensures that cleanup functions are
only called on successfully initialized resources. Additionally, remove
the now-unnecessary is_registered flag.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tilcdc/tilcdc_crtc.c",
"drivers/gpu/drm/tilcdc/tilcdc_drv.c",
"drivers/gpu/drm/tilcdc/tilcdc_drv.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21e52dc7762908c3d499cfb493d1b8281fc1d3ab",
"status": "affected",
"version": "69f03be1fa08a66735d53d92d3429c052540e3bf",
"versionType": "git"
},
{
"lessThan": "71be8825e83c90c1e020feb77b29e6a99629e642",
"status": "affected",
"version": "3c4babae3c4a1ae05f8f3f5f3d50c440ead7ca6a",
"versionType": "git"
},
{
"lessThan": "a585c7ef9cabda58088916baedc6573e9a5cd2a7",
"status": "affected",
"version": "3c4babae3c4a1ae05f8f3f5f3d50c440ead7ca6a",
"versionType": "git"
},
{
"status": "affected",
"version": "84021fa4cf190e257ae8b66d284cdb92e3fabe33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tilcdc/tilcdc_crtc.c",
"drivers/gpu/drm/tilcdc/tilcdc_drv.c",
"drivers/gpu/drm/tilcdc/tilcdc_drv.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tilcdc: Fix removal actions in case of failed probe\n\nThe drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers\nshould only be called when the device has been successfully registered.\nCurrently, these functions are called unconditionally in tilcdc_fini(),\nwhich causes warnings during probe deferral scenarios.\n\n[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68\n...\n[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108\n[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8\n[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144\n[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc]\n[ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]\n\nFix this by rewriting the failed probe cleanup path using the standard\ngoto error handling pattern, which ensures that cleanup functions are\nonly called on successfully initialized resources. Additionally, remove\nthe now-unnecessary is_registered flag."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:38.643Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21e52dc7762908c3d499cfb493d1b8281fc1d3ab"
},
{
"url": "https://git.kernel.org/stable/c/71be8825e83c90c1e020feb77b29e6a99629e642"
},
{
"url": "https://git.kernel.org/stable/c/a585c7ef9cabda58088916baedc6573e9a5cd2a7"
}
],
"title": "drm/tilcdc: Fix removal actions in case of failed probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71141",
"datePublished": "2026-01-14T15:07:54.456Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-02-09T08:35:38.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39995 (GCVE-0-2025-39995)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
The state->timer is a cyclic timer that schedules work_i2c_poll and
delayed_work_enable_hotplug, while rearming itself. Using timer_delete()
fails to guarantee the timer isn't still running when destroyed, similarly
cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has
terminated if already executing. During probe failure after timer
initialization, these may continue running as orphans and reference the
already-freed tc358743_state object through tc358743_irq_poll_timer.
The following is the trace captured by KASAN.
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __pfx_sched_balance_find_src_group+0x10/0x10
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? rcu_sched_clock_irq+0xb06/0x27d0
? __pfx___run_timer_base.part.0+0x10/0x10
? try_to_wake_up+0xb15/0x1960
? tmigr_update_events+0x280/0x740
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
tmigr_handle_remote_up+0x603/0x7e0
? __pfx_tmigr_handle_remote_up+0x10/0x10
? sched_balance_trigger+0x98/0x9f0
? sched_tick+0x221/0x5a0
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
? tick_nohz_handler+0x339/0x440
? __pfx_tmigr_handle_remote_up+0x10/0x10
__walk_groups.isra.0+0x42/0x150
tmigr_handle_remote+0x1f4/0x2e0
? __pfx_tmigr_handle_remote+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
? hrtimer_interrupt+0x322/0x780
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_node_track_caller_noprof+0x198/0x430
devm_kmalloc+0x7b/0x1e0
tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
release_nodes+0xa4/0x100
devres_release_group+0x1b2/0x380
i2c_device_probe+0x694/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace timer_delete() with timer_delete_sync() and cancel_delayed_work()
with cancel_delayed_work_sync() to ensure proper termination of timer and
work items before resource cleanup.
This bug was initially identified through static analysis. For reproduction
and testing, I created a functional emulation of the tc358743 device via a
kernel module and introduced faults through the debugfs interface.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 Version: d32d98642de66048f9534a05f3641558e811bbc9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/tc358743.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9205fb6e617a1c596d9a9ad2a160ee696e09d520",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "70913586c717dd25cfbade7a418e92cc9c99398a",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "663faf1179db9663a3793c75e9bc869358bad910",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "3d17701c156579969470e58b3a906511f8bc018d",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "228d06c4cbfc750f1216a3fd91b4693b0766d2f6",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "f92181c0e13cad9671d07b15be695a97fc2534a3",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "f3f3f00bcabbd2ce0a77a2ac7a6797b8646bfd8b",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "2610617effb4454d2f1c434c011ccb5cc7140711",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
},
{
"lessThan": "79d10f4f21a92e459b2276a77be62c59c1502c9d",
"status": "affected",
"version": "d32d98642de66048f9534a05f3641558e811bbc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/tc358743.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe\n\nThe state-\u003etimer is a cyclic timer that schedules work_i2c_poll and\ndelayed_work_enable_hotplug, while rearming itself. Using timer_delete()\nfails to guarantee the timer isn\u0027t still running when destroyed, similarly\ncancel_delayed_work() cannot ensure delayed_work_enable_hotplug has\nterminated if already executing. During probe failure after timer\ninitialization, these may continue running as orphans and reference the\nalready-freed tc358743_state object through tc358743_irq_poll_timer.\n\nThe following is the trace captured by KASAN.\n\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff88800ded83c8 by task swapper/1/0\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __pfx_sched_balance_find_src_group+0x10/0x10\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? rcu_sched_clock_irq+0xb06/0x27d0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? try_to_wake_up+0xb15/0x1960\n ? tmigr_update_events+0x280/0x740\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n tmigr_handle_remote_up+0x603/0x7e0\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n ? sched_balance_trigger+0x98/0x9f0\n ? sched_tick+0x221/0x5a0\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n ? tick_nohz_handler+0x339/0x440\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n __walk_groups.isra.0+0x42/0x150\n tmigr_handle_remote+0x1f4/0x2e0\n ? __pfx_tmigr_handle_remote+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n ? hrtimer_interrupt+0x322/0x780\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\n\nAllocated by task 141:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_node_track_caller_noprof+0x198/0x430\n devm_kmalloc+0x7b/0x1e0\n tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __device_attach_driver+0x174/0x220\n bus_for_each_drv+0x100/0x190\n __device_attach+0x206/0x370\n bus_probe_device+0x123/0x170\n device_add+0xd25/0x1470\n i2c_new_client_device+0x7a0/0xcd0\n do_one_initcall+0x89/0x300\n do_init_module+0x29d/0x7f0\n load_module+0x4f48/0x69e0\n init_module_from_file+0xe4/0x150\n idempotent_init_module+0x320/0x670\n __x64_sys_finit_module+0xbd/0x120\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 141:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n release_nodes+0xa4/0x100\n devres_release_group+0x1b2/0x380\n i2c_device_probe+0x694/0x880\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __device_attach_driver+0x174/0x220\n bus_for_each_drv+0x100/0x190\n __device_attach+0x206/0x370\n bus_probe_device+0x123/0x170\n device_add+0xd25/0x1470\n i2c_new_client_device+0x7a0/0xcd0\n do_one_initcall+0x89/0x300\n do_init_module+0x29d/0x7f0\n load_module+0x4f48/0x69e0\n init_module_from_file+0xe4/0x150\n idempotent_init_module+0x320/0x670\n __x64_sys_finit_module+0xbd/0x120\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace timer_delete() with timer_delete_sync() and cancel_delayed_work()\nwith cancel_delayed_work_sync() to ensure proper termination of timer and\nwork items before resource cleanup.\n\nThis bug was initially identified through static analysis. For reproduction\nand testing, I created a functional emulation of the tc358743 device via a\nkernel module and introduced faults through the debugfs interface."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:06.340Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9205fb6e617a1c596d9a9ad2a160ee696e09d520"
},
{
"url": "https://git.kernel.org/stable/c/70913586c717dd25cfbade7a418e92cc9c99398a"
},
{
"url": "https://git.kernel.org/stable/c/663faf1179db9663a3793c75e9bc869358bad910"
},
{
"url": "https://git.kernel.org/stable/c/3d17701c156579969470e58b3a906511f8bc018d"
},
{
"url": "https://git.kernel.org/stable/c/228d06c4cbfc750f1216a3fd91b4693b0766d2f6"
},
{
"url": "https://git.kernel.org/stable/c/f92181c0e13cad9671d07b15be695a97fc2534a3"
},
{
"url": "https://git.kernel.org/stable/c/f3f3f00bcabbd2ce0a77a2ac7a6797b8646bfd8b"
},
{
"url": "https://git.kernel.org/stable/c/2610617effb4454d2f1c434c011ccb5cc7140711"
},
{
"url": "https://git.kernel.org/stable/c/79d10f4f21a92e459b2276a77be62c59c1502c9d"
}
],
"title": "media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39995",
"datePublished": "2025-10-15T07:58:20.365Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:06.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40006 (GCVE-0-2025-40006)
Vulnerability from cvelistv5
Published
2025-10-20 15:26
Modified
2025-10-20 15:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix folio is still mapped when deleted
Migration may be raced with fallocating hole. remove_inode_single_folio
will unmap the folio if the folio is still mapped. However, it's called
without folio lock. If the folio is migrated and the mapped pte has been
converted to migration entry, folio_mapped() returns false, and won't
unmap it. Due to extra refcount held by remove_inode_single_folio,
migration fails, restores migration entry to normal pte, and the folio is
mapped again. As a result, we triggered BUG in filemap_unaccount_folio.
The log is as follows:
BUG: Bad page cache in process hugetlb pfn:156c00
page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00
head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0
aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file"
flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: f4(hugetlb)
page dumped because: still mapped when deleted
CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x70
filemap_unaccount_folio+0xc4/0x1c0
__filemap_remove_folio+0x38/0x1c0
filemap_remove_folio+0x41/0xd0
remove_inode_hugepages+0x142/0x250
hugetlbfs_fallocate+0x471/0x5a0
vfs_fallocate+0x149/0x380
Hold folio lock before checking if the folio is mapped to avold race with
migration.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4aae8d1c051ea00b456da6811bc36d1f69de5445 Version: 4aae8d1c051ea00b456da6811bc36d1f69de5445 Version: 4aae8d1c051ea00b456da6811bc36d1f69de5445 Version: 4aae8d1c051ea00b456da6811bc36d1f69de5445 Version: 4aae8d1c051ea00b456da6811bc36d1f69de5445 Version: 4aae8d1c051ea00b456da6811bc36d1f69de5445 Version: 4aae8d1c051ea00b456da6811bc36d1f69de5445 Version: 4aae8d1c051ea00b456da6811bc36d1f69de5445 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc1c9ce8aeff45318332035dbef9713fb9e982d7",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "91f548e920fbf8be3f285bfa3fa045ae017e836d",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "3e851448078f5b01f6264915df3cfef75e323a12",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "c9c2a51f91aea70e89b496cac360cd795a2b3c26",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "910d7749346c4b0acdc6e4adfdc4a9984281a206",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "21ee79ce938127f88fe07e409c1817f477dbe7ea",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix folio is still mapped when deleted\n\nMigration may be raced with fallocating hole. remove_inode_single_folio\nwill unmap the folio if the folio is still mapped. However, it\u0027s called\nwithout folio lock. If the folio is migrated and the mapped pte has been\nconverted to migration entry, folio_mapped() returns false, and won\u0027t\nunmap it. Due to extra refcount held by remove_inode_single_folio,\nmigration fails, restores migration entry to normal pte, and the folio is\nmapped again. As a result, we triggered BUG in filemap_unaccount_folio.\n\nThe log is as follows:\n BUG: Bad page cache in process hugetlb pfn:156c00\n page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00\n head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0\n aops:hugetlbfs_aops ino:dcc dentry name(?):\"my_hugepage_file\"\n flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: f4(hugetlb)\n page dumped because: still mapped when deleted\n CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4f/0x70\n filemap_unaccount_folio+0xc4/0x1c0\n __filemap_remove_folio+0x38/0x1c0\n filemap_remove_folio+0x41/0xd0\n remove_inode_hugepages+0x142/0x250\n hugetlbfs_fallocate+0x471/0x5a0\n vfs_fallocate+0x149/0x380\n\nHold folio lock before checking if the folio is mapped to avold race with\nmigration."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:53.097Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc1c9ce8aeff45318332035dbef9713fb9e982d7"
},
{
"url": "https://git.kernel.org/stable/c/91f548e920fbf8be3f285bfa3fa045ae017e836d"
},
{
"url": "https://git.kernel.org/stable/c/3e851448078f5b01f6264915df3cfef75e323a12"
},
{
"url": "https://git.kernel.org/stable/c/c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39"
},
{
"url": "https://git.kernel.org/stable/c/c9c2a51f91aea70e89b496cac360cd795a2b3c26"
},
{
"url": "https://git.kernel.org/stable/c/910d7749346c4b0acdc6e4adfdc4a9984281a206"
},
{
"url": "https://git.kernel.org/stable/c/21ee79ce938127f88fe07e409c1817f477dbe7ea"
},
{
"url": "https://git.kernel.org/stable/c/7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7"
}
],
"title": "mm/hugetlb: fix folio is still mapped when deleted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40006",
"datePublished": "2025-10-20T15:26:53.097Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:53.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36347 (GCVE-0-2024-36347)
Vulnerability from cvelistv5
Published
2025-06-27 22:14
Modified
2026-02-26 17:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Summary
Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AMD | AMD EPYC™ 7001 Series | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T03:55:55.838463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:50:21.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7001 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "NaplesPI 1.0.0.P"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7002 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RomePI 1.0.0.L"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7003 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MilanPI 1.0.0.F"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9004 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Genoa 1.0.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 4004 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5PI1.0.0.a"
},
{
"status": "unaffected",
"version": "ComboAM5PI1.1.0.3c"
},
{
"status": "unaffected",
"version": "ComboAM5PI1.2.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9005 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "TurinPI 1.0.0.4"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Instinct\u2122 MI300A",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MI300PI_SR5 1.0.0.8"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Desktop Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 3000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4PI 1.0.0.D"
},
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Athlon\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4PI 1.0.0.D"
},
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5PI 1.0.0.a"
},
{
"status": "unaffected",
"version": "ComboAM5PI 1.1.0.3c"
},
{
"status": "unaffected",
"version": "ComboAM5PI 1.2.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 4000 Series Desktop Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 8000 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5PI 1.1.0.3c"
},
{
"status": "unaffected",
"version": "ComboAM5PI 1.2.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 9000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5PI 1.2.0.3c"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 3000 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "CastlePeakPI-SP3r3 1.0.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 7000 WX-Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "StormPeakPI-SP6 1.0.0.1k"
},
{
"status": "unaffected",
"version": "StormPeakPI-SP6 1.1.0.0i"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 3000WX Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ChagallWSPI-sWRX8 1.0.0.B"
},
{
"status": "unaffected",
"version": "CastlePeakWSPI-sWRX8 1.0.0.g"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 5000WX- Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ChagallWSPI-sWRX8 1.0.0.B"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PicassoPI-FP5 1.0.1.2b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 3000 Series Mobile Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PicassoPI-FP5 1.0.1.2b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 4000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RenoirPI-FP6 1.0.0.Eb"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "CezannePI-FP6 1.0.1.1b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MendocinoPI-FT6 1.0.0.7b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 6000 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RembrandtPI-FP7 1.0.0.Bb"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7035 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RembrandtPI-FP7 1.0.0.Bb"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "CezannePI-FP6 1.0.1.1b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PhoenixPI-FP8-FP7 1.2.0.0"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 8040 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PhoenixPI-FP8-FP7 1.2.0.0"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7045 Series Mobile Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "DragonRangeFL1 1.0.0.3g"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 AI 300 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "StrixKrakenPI-FP8_1.1.0.0b"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 AI Max +",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "StrixHaloPI-FP11_1.0.0.1"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 9000HX Series Mobile Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "FireRangeFL1PI 1.0.0.0a"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 3000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "SnowyOwl PI 1.1.0.E"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 7002",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbRomePI-SP3 1.0.0.D"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 7003",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbMilan PI-SP3 1.0.0.A"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 8004",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-SP5 1.0.0.9"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 9004",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-SP5 1.0.0.9"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 97X4",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-SP5 1.0.0.9"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded R1000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP5 1.2.0.F"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded R2000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedR2KPI 1.0.0.5"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded 5000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbAM4PI 1.0.0.7"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded 7000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedAM5PI 1.0.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded V1000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP5 1.2.0.F"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122Embedded V2000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP6 1.0.0.B"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122Embedded V3000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP7R2 1.0.0.C"
}
]
}
],
"datePublic": "2025-06-27T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment.\u003cbr\u003e"
}
],
"value": "Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T22:14:01.944Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2024-36347",
"datePublished": "2025-06-27T22:14:01.944Z",
"dateReserved": "2024-05-23T19:44:47.201Z",
"dateUpdated": "2026-02-26T17:50:21.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40324 (GCVE-0-2025-40324)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2025-12-08 00:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix crash in nfsd4_read_release()
When tracing is enabled, the trace_nfsd_read_done trace point
crashes during the pynfs read.testNoFh test.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 65a33135e91e6dd661ecdf1194b9d90c49ae3570 Version: b11d8162c24af4a351d21e2c804d25ca493305e3 Version: b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3 Version: 15a8b55dbb1ba154d82627547c5761cac884d810 Version: 15a8b55dbb1ba154d82627547c5761cac884d810 Version: 15a8b55dbb1ba154d82627547c5761cac884d810 Version: 15a8b55dbb1ba154d82627547c5761cac884d810 Version: 3d0dcada384af22dec764c8374a2997870ec86ae |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1",
"status": "affected",
"version": "65a33135e91e6dd661ecdf1194b9d90c49ae3570",
"versionType": "git"
},
{
"lessThan": "375fdd8993cecc48afa359728a6e70b280dde1c8",
"status": "affected",
"version": "b11d8162c24af4a351d21e2c804d25ca493305e3",
"versionType": "git"
},
{
"lessThan": "2ac46606b2cc49e78d8e3d8f2685e79e9ba73020",
"status": "affected",
"version": "b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3",
"versionType": "git"
},
{
"lessThan": "03524ccff698d4a77d096ed529073d91f5edee5d",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "a4948875ed0599c037dc438c11891c9012721b1d",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "8f244b773c63fa480c9a3bd1ae04f5272f285e89",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "abb1f08a2121dd270193746e43b2a9373db9ad84",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"status": "affected",
"version": "3d0dcada384af22dec764c8374a2997870ec86ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix crash in nfsd4_read_release()\n\nWhen tracing is enabled, the trace_nfsd_read_done trace point\ncrashes during the pynfs read.testNoFh test."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:51.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1"
},
{
"url": "https://git.kernel.org/stable/c/375fdd8993cecc48afa359728a6e70b280dde1c8"
},
{
"url": "https://git.kernel.org/stable/c/2ac46606b2cc49e78d8e3d8f2685e79e9ba73020"
},
{
"url": "https://git.kernel.org/stable/c/03524ccff698d4a77d096ed529073d91f5edee5d"
},
{
"url": "https://git.kernel.org/stable/c/a4948875ed0599c037dc438c11891c9012721b1d"
},
{
"url": "https://git.kernel.org/stable/c/8f244b773c63fa480c9a3bd1ae04f5272f285e89"
},
{
"url": "https://git.kernel.org/stable/c/abb1f08a2121dd270193746e43b2a9373db9ad84"
}
],
"title": "NFSD: Fix crash in nfsd4_read_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40324",
"datePublished": "2025-12-08T00:46:51.912Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:51.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39970 (GCVE-0-2025-39970)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix input validation logic for action_meta
Fix condition to check 'greater or equal' to prevent OOB dereference.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 Version: e284fc280473bed23f2e1ed324e102a48f7d17e1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a88c1b2746eccf00e2094b187945f0f1e990b400",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "28465770ca3b694286ff9ed6dfd558413f57d98f",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "f8c8e11825b24661596fa8db2f0981ba17ed0817",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "461e0917eedcd159d87f3ea846754a1e07d7e78a",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "3883e9702b6a4945e93b16c070f338a9f5b496f9",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "3118f41d8fa57b005f53ec3db2ba5eab1d7ba12b",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "560e1683410585fbd5df847f43433c4296f0d222",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
},
{
"lessThan": "9739d5830497812b0bdeaee356ddefbe60830b88",
"status": "affected",
"version": "e284fc280473bed23f2e1ed324e102a48f7d17e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix input validation logic for action_meta\n\nFix condition to check \u0027greater or equal\u0027 to prevent OOB dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:53.610Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a88c1b2746eccf00e2094b187945f0f1e990b400"
},
{
"url": "https://git.kernel.org/stable/c/28465770ca3b694286ff9ed6dfd558413f57d98f"
},
{
"url": "https://git.kernel.org/stable/c/f8c8e11825b24661596fa8db2f0981ba17ed0817"
},
{
"url": "https://git.kernel.org/stable/c/461e0917eedcd159d87f3ea846754a1e07d7e78a"
},
{
"url": "https://git.kernel.org/stable/c/3883e9702b6a4945e93b16c070f338a9f5b496f9"
},
{
"url": "https://git.kernel.org/stable/c/3118f41d8fa57b005f53ec3db2ba5eab1d7ba12b"
},
{
"url": "https://git.kernel.org/stable/c/560e1683410585fbd5df847f43433c4296f0d222"
},
{
"url": "https://git.kernel.org/stable/c/9739d5830497812b0bdeaee356ddefbe60830b88"
}
],
"title": "i40e: fix input validation logic for action_meta",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39970",
"datePublished": "2025-10-15T07:55:53.610Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-15T07:55:53.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-23020 (GCVE-0-2026-23020)
Vulnerability from cvelistv5
Published
2026-01-31 11:39
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
pdev can be null and free_ring: can be called in 1297 with a null
pdev.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 55c82617c3e82210b7471e9334e8fc5df6a9961f Version: 55c82617c3e82210b7471e9334e8fc5df6a9961f Version: 55c82617c3e82210b7471e9334e8fc5df6a9961f Version: 55c82617c3e82210b7471e9334e8fc5df6a9961f Version: 55c82617c3e82210b7471e9334e8fc5df6a9961f Version: 55c82617c3e82210b7471e9334e8fc5df6a9961f Version: 55c82617c3e82210b7471e9334e8fc5df6a9961f Version: d30fdc02c49ad9965bba25015ae66c22dae967d1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/3com/3c59x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "053ac9e37eee435e999277c0f1ef890dad6064bf",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "606872c8e8bf96066730f6a2317502c5633c37f1",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "28b2a805609699be7b90020ae7dccfb234be1ceb",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "2f05f7737e16d9a40038cc1c38a96a3f7964898b",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"lessThan": "a4e305ed60f7c41bbf9aabc16dd75267194e0de3",
"status": "affected",
"version": "55c82617c3e82210b7471e9334e8fc5df6a9961f",
"versionType": "git"
},
{
"status": "affected",
"version": "d30fdc02c49ad9965bba25015ae66c22dae967d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/3com/3c59x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: 3com: 3c59x: fix possible null dereference in vortex_probe1()\n\npdev can be null and free_ring: can be called in 1297 with a null\npdev."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:13.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/053ac9e37eee435e999277c0f1ef890dad6064bf"
},
{
"url": "https://git.kernel.org/stable/c/6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d"
},
{
"url": "https://git.kernel.org/stable/c/606872c8e8bf96066730f6a2317502c5633c37f1"
},
{
"url": "https://git.kernel.org/stable/c/28b2a805609699be7b90020ae7dccfb234be1ceb"
},
{
"url": "https://git.kernel.org/stable/c/2f05f7737e16d9a40038cc1c38a96a3f7964898b"
},
{
"url": "https://git.kernel.org/stable/c/d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7"
},
{
"url": "https://git.kernel.org/stable/c/a4e305ed60f7c41bbf9aabc16dd75267194e0de3"
}
],
"title": "net: 3com: 3c59x: fix possible null dereference in vortex_probe1()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23020",
"datePublished": "2026-01-31T11:39:04.023Z",
"dateReserved": "2026-01-13T15:37:45.941Z",
"dateUpdated": "2026-02-09T08:37:13.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68288 (GCVE-0-2025-68288)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: storage: Fix memory leak in USB bulk transport
A kernel memory leak was identified by the 'ioctl_sg01' test from Linux
Test Project (LTP). The following bytes were mainly observed: 0x53425355.
When USB storage devices incorrectly skip the data phase with status data,
the code extracts/validates the CSW from the sg buffer, but fails to clear
it afterwards. This leaves status protocol data in srb's transfer buffer,
such as the US_BULK_CS_SIGN 'USBS' signature observed here. Thus, this can
lead to USB protocols leaks to user space through SCSI generic (/dev/sg*)
interfaces, such as the one seen here when the LTP test requested 512 KiB.
Fix the leak by zeroing the CSW data in srb's transfer buffer immediately
after the validation of devices that skip data phase.
Note: Differently from CVE-2018-1000204, which fixed a big leak by zero-
ing pages at allocation time, this leak occurs after allocation, when USB
protocol data is written to already-allocated sg pages.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a45b599ad808c3c982fdcdc12b0b8611c2f92824 Version: a45b599ad808c3c982fdcdc12b0b8611c2f92824 Version: a45b599ad808c3c982fdcdc12b0b8611c2f92824 Version: a45b599ad808c3c982fdcdc12b0b8611c2f92824 Version: a45b599ad808c3c982fdcdc12b0b8611c2f92824 Version: a45b599ad808c3c982fdcdc12b0b8611c2f92824 Version: a45b599ad808c3c982fdcdc12b0b8611c2f92824 Version: 582802e7c617cfb07cc15f280c128e6decbc57b8 Version: 58b7ce6f9ef2367f86384b20458642945993b816 Version: 93314640426ddb6af618d0802e622f6fa771792c Version: ad2518320bc440ed3db072e2444a1bb226a9cf7a Version: d827bea2d18c07ba514f7d48cde49f90da9a1384 Version: 39169410574503c6e901de1aa6eac5108475e017 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83f0241959831586d9b6d47f6bd5d3dec8f43bf0",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "4ba515dfff7eeca369ab85cdbb3f3b231c71720c",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "467fec3cefbeb9e3ea80f457da9a5666a71ca0d0",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "cb1401b5bcc2feb5b038fc4b512e5968b016e05e",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "0f18eac44c5668204bf6eebb01ddb369ac56932b",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "5b815ddb3f5560fac35b16de3a2a22d5f81c5993",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"lessThan": "41e99fe2005182139b1058db71f0d241f8f0078c",
"status": "affected",
"version": "a45b599ad808c3c982fdcdc12b0b8611c2f92824",
"versionType": "git"
},
{
"status": "affected",
"version": "582802e7c617cfb07cc15f280c128e6decbc57b8",
"versionType": "git"
},
{
"status": "affected",
"version": "58b7ce6f9ef2367f86384b20458642945993b816",
"versionType": "git"
},
{
"status": "affected",
"version": "93314640426ddb6af618d0802e622f6fa771792c",
"versionType": "git"
},
{
"status": "affected",
"version": "ad2518320bc440ed3db072e2444a1bb226a9cf7a",
"versionType": "git"
},
{
"status": "affected",
"version": "d827bea2d18c07ba514f7d48cde49f90da9a1384",
"versionType": "git"
},
{
"status": "affected",
"version": "39169410574503c6e901de1aa6eac5108475e017",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: storage: Fix memory leak in USB bulk transport\n\nA kernel memory leak was identified by the \u0027ioctl_sg01\u0027 test from Linux\nTest Project (LTP). The following bytes were mainly observed: 0x53425355.\n\nWhen USB storage devices incorrectly skip the data phase with status data,\nthe code extracts/validates the CSW from the sg buffer, but fails to clear\nit afterwards. This leaves status protocol data in srb\u0027s transfer buffer,\nsuch as the US_BULK_CS_SIGN \u0027USBS\u0027 signature observed here. Thus, this can\nlead to USB protocols leaks to user space through SCSI generic (/dev/sg*)\ninterfaces, such as the one seen here when the LTP test requested 512 KiB.\n\nFix the leak by zeroing the CSW data in srb\u0027s transfer buffer immediately\nafter the validation of devices that skip data phase.\n\nNote: Differently from CVE-2018-1000204, which fixed a big leak by zero-\ning pages at allocation time, this leak occurs after allocation, when USB\nprotocol data is written to already-allocated sg pages."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:09.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83f0241959831586d9b6d47f6bd5d3dec8f43bf0"
},
{
"url": "https://git.kernel.org/stable/c/4ba515dfff7eeca369ab85cdbb3f3b231c71720c"
},
{
"url": "https://git.kernel.org/stable/c/467fec3cefbeb9e3ea80f457da9a5666a71ca0d0"
},
{
"url": "https://git.kernel.org/stable/c/cb1401b5bcc2feb5b038fc4b512e5968b016e05e"
},
{
"url": "https://git.kernel.org/stable/c/0f18eac44c5668204bf6eebb01ddb369ac56932b"
},
{
"url": "https://git.kernel.org/stable/c/5b815ddb3f5560fac35b16de3a2a22d5f81c5993"
},
{
"url": "https://git.kernel.org/stable/c/41e99fe2005182139b1058db71f0d241f8f0078c"
}
],
"title": "usb: storage: Fix memory leak in USB bulk transport",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68288",
"datePublished": "2025-12-16T15:06:09.654Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:09.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71125 (GCVE-0-2025-71125)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Do not register unsupported perf events
Synthetic events currently do not have a function to register perf events.
This leads to calling the tracepoint register functions with a NULL
function pointer which triggers:
------------[ cut here ]------------
WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272
Modules linked in: kvm_intel kvm irqbypass
CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:tracepoint_add_func+0x357/0x370
Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f
RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000
RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8
RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780
R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a
R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78
FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0
Call Trace:
<TASK>
tracepoint_probe_register+0x5d/0x90
synth_event_reg+0x3c/0x60
perf_trace_event_init+0x204/0x340
perf_trace_init+0x85/0xd0
perf_tp_event_init+0x2e/0x50
perf_try_init_event+0x6f/0x230
? perf_event_alloc+0x4bb/0xdc0
perf_event_alloc+0x65a/0xdc0
__se_sys_perf_event_open+0x290/0x9f0
do_syscall_64+0x93/0x7b0
? entry_SYSCALL_64_after_hwframe+0x76/0x7e
? trace_hardirqs_off+0x53/0xc0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Instead, have the code return -ENODEV, which doesn't warn and has perf
error out with:
# perf record -e synthetic:futex_wait
Error:
The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).
"dmesg | grep -i perf" may provide additional information.
Ideally perf should support synthetic events, but for now just fix the
warning. The support can come later.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4b147936fa509650beaf638b331573c23ba4d609 Version: 4b147936fa509650beaf638b331573c23ba4d609 Version: 4b147936fa509650beaf638b331573c23ba4d609 Version: 4b147936fa509650beaf638b331573c23ba4d609 Version: 4b147936fa509650beaf638b331573c23ba4d609 Version: 4b147936fa509650beaf638b331573c23ba4d609 Version: 4b147936fa509650beaf638b331573c23ba4d609 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6819bc6285c0ff835f67cfae7efebc03541782f6",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "f7305697b60d79bc69c0a6e280fc931b4e8862dd",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "65b1971147ec12f0b1cee0811c859a3d7d9b04ce",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "3437c775bf209c674ad66304213b6b3c3b1b3f69",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "6df47e5bb9b62d72f186f826ab643ea1856877c7",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
},
{
"lessThan": "ef7f38df890f5dcd2ae62f8dbde191d72f3bebae",
"status": "affected",
"version": "4b147936fa509650beaf638b331573c23ba4d609",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not register unsupported perf events\n\nSynthetic events currently do not have a function to register perf events.\nThis leads to calling the tracepoint register functions with a NULL\nfunction pointer which triggers:\n\n ------------[ cut here ]------------\n WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:tracepoint_add_func+0x357/0x370\n Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc \u003c0f\u003e 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f\n RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246\n RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000\n RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8\n RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780\n R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a\n R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78\n FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n tracepoint_probe_register+0x5d/0x90\n synth_event_reg+0x3c/0x60\n perf_trace_event_init+0x204/0x340\n perf_trace_init+0x85/0xd0\n perf_tp_event_init+0x2e/0x50\n perf_try_init_event+0x6f/0x230\n ? perf_event_alloc+0x4bb/0xdc0\n perf_event_alloc+0x65a/0xdc0\n __se_sys_perf_event_open+0x290/0x9f0\n do_syscall_64+0x93/0x7b0\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ? trace_hardirqs_off+0x53/0xc0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInstead, have the code return -ENODEV, which doesn\u0027t warn and has perf\nerror out with:\n\n # perf record -e synthetic:futex_wait\nError:\nThe sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).\n\"dmesg | grep -i perf\" may provide additional information.\n\nIdeally perf should support synthetic events, but for now just fix the\nwarning. The support can come later."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:20.806Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6819bc6285c0ff835f67cfae7efebc03541782f6"
},
{
"url": "https://git.kernel.org/stable/c/6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc"
},
{
"url": "https://git.kernel.org/stable/c/f7305697b60d79bc69c0a6e280fc931b4e8862dd"
},
{
"url": "https://git.kernel.org/stable/c/65b1971147ec12f0b1cee0811c859a3d7d9b04ce"
},
{
"url": "https://git.kernel.org/stable/c/3437c775bf209c674ad66304213b6b3c3b1b3f69"
},
{
"url": "https://git.kernel.org/stable/c/6df47e5bb9b62d72f186f826ab643ea1856877c7"
},
{
"url": "https://git.kernel.org/stable/c/ef7f38df890f5dcd2ae62f8dbde191d72f3bebae"
}
],
"title": "tracing: Do not register unsupported perf events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71125",
"datePublished": "2026-01-14T15:06:10.662Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:20.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23407 (GCVE-0-2026-23407)
Vulnerability from cvelistv5
Published
2026-04-01 08:36
Modified
2026-04-18 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
The verify_dfa() function only checks DEFAULT_TABLE bounds when the state
is not differentially encoded.
When the verification loop traverses the differential encoding chain,
it reads k = DEFAULT_TABLE[j] and uses k as an array index without
validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count,
therefore, causes both out-of-bounds reads and writes.
[ 57.179855] ==================================================================
[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660
[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993
[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 57.181563] Call Trace:
[ 57.181572] <TASK>
[ 57.181577] dump_stack_lvl+0x5e/0x80
[ 57.181596] print_report+0xc8/0x270
[ 57.181605] ? verify_dfa+0x59a/0x660
[ 57.181608] kasan_report+0x118/0x150
[ 57.181620] ? verify_dfa+0x59a/0x660
[ 57.181623] verify_dfa+0x59a/0x660
[ 57.181627] aa_dfa_unpack+0x1610/0x1740
[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470
[ 57.181640] unpack_pdb+0x86d/0x46b0
[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300
[ 57.181659] aa_unpack+0x20b0/0x4c30
[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181664] ? stack_depot_save_flags+0x33/0x700
[ 57.181681] ? kasan_save_track+0x4f/0x80
[ 57.181683] ? kasan_save_track+0x3e/0x80
[ 57.181686] ? __kasan_kmalloc+0x93/0xb0
[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780
[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130
[ 57.181697] ? policy_update+0x154/0x330
[ 57.181704] aa_replace_profiles+0x15a/0x1dd0
[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780
[ 57.181712] ? aa_loaddata_alloc+0x77/0x140
[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181717] ? _copy_from_user+0x2a/0x70
[ 57.181730] policy_update+0x17a/0x330
[ 57.181733] profile_replace+0x153/0x1a0
[ 57.181735] ? rw_verify_area+0x93/0x2d0
[ 57.181740] vfs_write+0x235/0xab0
[ 57.181745] ksys_write+0xb0/0x170
[ 57.181748] do_syscall_64+0x8e/0x660
[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 57.181765] RIP: 0033:0x7f6192792eb2
Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE
entries unconditionally.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 Version: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "555829fd91eaf0711e369b0a92aecb0f0aa3281f",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "a75e12ca90c9e70ba10fee1be2f63cdd63d91a7c",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "22094c996968a7c5b59cd3fc9fcbdfdd46d02fec",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "7c7cf05e0606f554c467e3a4dc49e2e578a755b4",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "76b4d36c5122866452d34d8f79985e191f9c3831",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "5a68e46dfe0c8c8ffc6f425ebc4cae6238566ecc",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "f39e126e56c6ec1930fae51ad6bca3dae2a4c3ed",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "d352873bbefa7eb39995239d0b44ccdf8aaa79a4",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix missing bounds check on DEFAULT table in verify_dfa()\n\nThe verify_dfa() function only checks DEFAULT_TABLE bounds when the state\nis not differentially encoded.\n\nWhen the verification loop traverses the differential encoding chain,\nit reads k = DEFAULT_TABLE[j] and uses k as an array index without\nvalidation. A malformed DFA with DEFAULT_TABLE[j] \u003e= state_count,\ntherefore, causes both out-of-bounds reads and writes.\n\n[ 57.179855] ==================================================================\n[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660\n[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993\n\n[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\n[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 57.181563] Call Trace:\n[ 57.181572] \u003cTASK\u003e\n[ 57.181577] dump_stack_lvl+0x5e/0x80\n[ 57.181596] print_report+0xc8/0x270\n[ 57.181605] ? verify_dfa+0x59a/0x660\n[ 57.181608] kasan_report+0x118/0x150\n[ 57.181620] ? verify_dfa+0x59a/0x660\n[ 57.181623] verify_dfa+0x59a/0x660\n[ 57.181627] aa_dfa_unpack+0x1610/0x1740\n[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470\n[ 57.181640] unpack_pdb+0x86d/0x46b0\n[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300\n[ 57.181659] aa_unpack+0x20b0/0x4c30\n[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181664] ? stack_depot_save_flags+0x33/0x700\n[ 57.181681] ? kasan_save_track+0x4f/0x80\n[ 57.181683] ? kasan_save_track+0x3e/0x80\n[ 57.181686] ? __kasan_kmalloc+0x93/0xb0\n[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780\n[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130\n[ 57.181697] ? policy_update+0x154/0x330\n[ 57.181704] aa_replace_profiles+0x15a/0x1dd0\n[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780\n[ 57.181712] ? aa_loaddata_alloc+0x77/0x140\n[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181717] ? _copy_from_user+0x2a/0x70\n[ 57.181730] policy_update+0x17a/0x330\n[ 57.181733] profile_replace+0x153/0x1a0\n[ 57.181735] ? rw_verify_area+0x93/0x2d0\n[ 57.181740] vfs_write+0x235/0xab0\n[ 57.181745] ksys_write+0xb0/0x170\n[ 57.181748] do_syscall_64+0x8e/0x660\n[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 57.181765] RIP: 0033:0x7f6192792eb2\n\nRemove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE\nentries unconditionally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:41.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/555829fd91eaf0711e369b0a92aecb0f0aa3281f"
},
{
"url": "https://git.kernel.org/stable/c/a75e12ca90c9e70ba10fee1be2f63cdd63d91a7c"
},
{
"url": "https://git.kernel.org/stable/c/22094c996968a7c5b59cd3fc9fcbdfdd46d02fec"
},
{
"url": "https://git.kernel.org/stable/c/7c7cf05e0606f554c467e3a4dc49e2e578a755b4"
},
{
"url": "https://git.kernel.org/stable/c/76b4d36c5122866452d34d8f79985e191f9c3831"
},
{
"url": "https://git.kernel.org/stable/c/5a68e46dfe0c8c8ffc6f425ebc4cae6238566ecc"
},
{
"url": "https://git.kernel.org/stable/c/f39e126e56c6ec1930fae51ad6bca3dae2a4c3ed"
},
{
"url": "https://git.kernel.org/stable/c/d352873bbefa7eb39995239d0b44ccdf8aaa79a4"
}
],
"title": "apparmor: fix missing bounds check on DEFAULT table in verify_dfa()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23407",
"datePublished": "2026-04-01T08:36:37.197Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-18T08:58:41.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23060 (GCVE-0-2026-23060)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec
authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
the minimum expected length, crypto_authenc_esn_decrypt() can advance past
the end of the destination scatterlist and trigger a NULL pointer dereference
in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
Add a minimum AAD length check to fail fast on invalid inputs.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 104880a6b470958ddc30e139c41aa4f6ed3a5234 Version: 104880a6b470958ddc30e139c41aa4f6ed3a5234 Version: 104880a6b470958ddc30e139c41aa4f6ed3a5234 Version: 104880a6b470958ddc30e139c41aa4f6ed3a5234 Version: 104880a6b470958ddc30e139c41aa4f6ed3a5234 Version: 104880a6b470958ddc30e139c41aa4f6ed3a5234 Version: 104880a6b470958ddc30e139c41aa4f6ed3a5234 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/authencesn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df22c9a65e9a9daa368a72fed596af9d7d5876bb",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "fee86edf5803f1d1f19e3b4f2dacac241bddfa48",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "767e8349f7e929b7dd95c08f0b4cb353459b365e",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "b0a9609283a5c852addb513dafa655c61eebc1ef",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "161bdc90fce25bd9890adc67fa1c8563a7acbf40",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "9532ff0d0e90ff78a214299f594ab9bac81defe4",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "2397e9264676be7794f8f7f1e9763d90bd3c7335",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/authencesn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject too-short AAD (assoclen\u003c8) to match ESP/ESN spec\n\nauthencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than\nthe minimum expected length, crypto_authenc_esn_decrypt() can advance past\nthe end of the destination scatterlist and trigger a NULL pointer dereference\nin scatterwalk_map_and_copy(), leading to a kernel panic (DoS).\n\nAdd a minimum AAD length check to fail fast on invalid inputs."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:58.639Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df22c9a65e9a9daa368a72fed596af9d7d5876bb"
},
{
"url": "https://git.kernel.org/stable/c/fee86edf5803f1d1f19e3b4f2dacac241bddfa48"
},
{
"url": "https://git.kernel.org/stable/c/767e8349f7e929b7dd95c08f0b4cb353459b365e"
},
{
"url": "https://git.kernel.org/stable/c/b0a9609283a5c852addb513dafa655c61eebc1ef"
},
{
"url": "https://git.kernel.org/stable/c/161bdc90fce25bd9890adc67fa1c8563a7acbf40"
},
{
"url": "https://git.kernel.org/stable/c/9532ff0d0e90ff78a214299f594ab9bac81defe4"
},
{
"url": "https://git.kernel.org/stable/c/2397e9264676be7794f8f7f1e9763d90bd3c7335"
}
],
"title": "crypto: authencesn - reject too-short AAD (assoclen\u003c8) to match ESP/ESN spec",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23060",
"datePublished": "2026-02-04T16:07:42.860Z",
"dateReserved": "2026-01-13T15:37:45.952Z",
"dateUpdated": "2026-02-09T08:37:58.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68245 (GCVE-0-2025-68245)
Vulnerability from cvelistv5
Published
2025-12-16 14:21
Modified
2025-12-16 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: netpoll: fix incorrect refcount handling causing incorrect cleanup
commit efa95b01da18 ("netpoll: fix use after free") incorrectly
ignored the refcount and prematurely set dev->npinfo to NULL during
netpoll cleanup, leading to improper behavior and memory leaks.
Scenario causing lack of proper cleanup:
1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is
allocated, and refcnt = 1
- Keep in mind that npinfo is shared among all netpoll instances. In
this case, there is just one.
2) Another netpoll is also associated with the same NIC and
npinfo->refcnt += 1.
- Now dev->npinfo->refcnt = 2;
- There is just one npinfo associated to the netdev.
3) When the first netpolls goes to clean up:
- The first cleanup succeeds and clears np->dev->npinfo, ignoring
refcnt.
- It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);`
- Set dev->npinfo = NULL, without proper cleanup
- No ->ndo_netpoll_cleanup() is either called
4) Now the second target tries to clean up
- The second cleanup fails because np->dev->npinfo is already NULL.
* In this case, ops->ndo_netpoll_cleanup() was never called, and
the skb pool is not cleaned as well (for the second netpoll
instance)
- This leaks npinfo and skbpool skbs, which is clearly reported by
kmemleak.
Revert commit efa95b01da18 ("netpoll: fix use after free") and adds
clarifying comments emphasizing that npinfo cleanup should only happen
once the refcount reaches zero, ensuring stable and correct netpoll
behavior.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: efa95b01da18ad22af62f6d99a3243f3be8fd264 Version: efa95b01da18ad22af62f6d99a3243f3be8fd264 Version: efa95b01da18ad22af62f6d99a3243f3be8fd264 Version: efa95b01da18ad22af62f6d99a3243f3be8fd264 Version: efa95b01da18ad22af62f6d99a3243f3be8fd264 Version: efa95b01da18ad22af62f6d99a3243f3be8fd264 Version: efa95b01da18ad22af62f6d99a3243f3be8fd264 Version: efa95b01da18ad22af62f6d99a3243f3be8fd264 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e6a50edad11e3e1426e4c29e7aa6201f3468ac2",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "9b0bb18b4b9dc017c1825a2c5e763615e34a1593",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "890472d6fbf062e6de7fdd56642cb305ab79d669",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "4afd4ebbad52aa146838ec23082ba393e426a2bb",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "c645693180a98606c430825223d2029315d85e9d",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "c79a6d9da29219616b118a3adce9a14cd30f9bd0",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "9a51b5ccd1c79afec1c03a4e1e6688da52597556",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "49c8d2c1f94cc2f4d1a108530d7ba52614b874c2",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netpoll: fix incorrect refcount handling causing incorrect cleanup\n\ncommit efa95b01da18 (\"netpoll: fix use after free\") incorrectly\nignored the refcount and prematurely set dev-\u003enpinfo to NULL during\nnetpoll cleanup, leading to improper behavior and memory leaks.\n\nScenario causing lack of proper cleanup:\n\n1) A netpoll is associated with a NIC (e.g., eth0) and netdev-\u003enpinfo is\n allocated, and refcnt = 1\n - Keep in mind that npinfo is shared among all netpoll instances. In\n this case, there is just one.\n\n2) Another netpoll is also associated with the same NIC and\n npinfo-\u003erefcnt += 1.\n - Now dev-\u003enpinfo-\u003erefcnt = 2;\n - There is just one npinfo associated to the netdev.\n\n3) When the first netpolls goes to clean up:\n - The first cleanup succeeds and clears np-\u003edev-\u003enpinfo, ignoring\n refcnt.\n - It basically calls `RCU_INIT_POINTER(np-\u003edev-\u003enpinfo, NULL);`\n - Set dev-\u003enpinfo = NULL, without proper cleanup\n - No -\u003endo_netpoll_cleanup() is either called\n\n4) Now the second target tries to clean up\n - The second cleanup fails because np-\u003edev-\u003enpinfo is already NULL.\n * In this case, ops-\u003endo_netpoll_cleanup() was never called, and\n the skb pool is not cleaned as well (for the second netpoll\n instance)\n - This leaks npinfo and skbpool skbs, which is clearly reported by\n kmemleak.\n\nRevert commit efa95b01da18 (\"netpoll: fix use after free\") and adds\nclarifying comments emphasizing that npinfo cleanup should only happen\nonce the refcount reaches zero, ensuring stable and correct netpoll\nbehavior."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:21:22.348Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e6a50edad11e3e1426e4c29e7aa6201f3468ac2"
},
{
"url": "https://git.kernel.org/stable/c/9b0bb18b4b9dc017c1825a2c5e763615e34a1593"
},
{
"url": "https://git.kernel.org/stable/c/890472d6fbf062e6de7fdd56642cb305ab79d669"
},
{
"url": "https://git.kernel.org/stable/c/4afd4ebbad52aa146838ec23082ba393e426a2bb"
},
{
"url": "https://git.kernel.org/stable/c/c645693180a98606c430825223d2029315d85e9d"
},
{
"url": "https://git.kernel.org/stable/c/c79a6d9da29219616b118a3adce9a14cd30f9bd0"
},
{
"url": "https://git.kernel.org/stable/c/9a51b5ccd1c79afec1c03a4e1e6688da52597556"
},
{
"url": "https://git.kernel.org/stable/c/49c8d2c1f94cc2f4d1a108530d7ba52614b874c2"
}
],
"title": "net: netpoll: fix incorrect refcount handling causing incorrect cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68245",
"datePublished": "2025-12-16T14:21:22.348Z",
"dateReserved": "2025-12-16T13:41:40.264Z",
"dateUpdated": "2025-12-16T14:21:22.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71101 (GCVE-0-2025-71101)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
The hp_populate_*_elements_from_package() functions in the hp-bioscfg
driver contain out-of-bounds array access vulnerabilities.
These functions parse ACPI packages into internal data structures using
a for loop with index variable 'elem' that iterates through
enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
When processing multi-element fields like PREREQUISITES and
ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
elements using expressions like 'enum_obj[elem + reqs]' and
'enum_obj[elem + pos_values]' within nested loops.
The bug is that the bounds check only validated elem, but did not consider
the additional offset when accessing elem + reqs or elem + pos_values.
The fix changes the bounds check to validate the actual accessed index.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/int-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/string-attributes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf7ae870560b988247a4bbbe5399edd326632680",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "db4c26adf7117b1a4431d1197ae7109fee3230ad",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "79cab730dbaaac03b946c7f5681bd08c986e2abd",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "e44c42c830b7ab36e3a3a86321c619f24def5206",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/int-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/string-attributes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing\n\nThe hp_populate_*_elements_from_package() functions in the hp-bioscfg\ndriver contain out-of-bounds array access vulnerabilities.\n\nThese functions parse ACPI packages into internal data structures using\na for loop with index variable \u0027elem\u0027 that iterates through\nenum_obj/integer_obj/order_obj/password_obj/string_obj arrays.\n\nWhen processing multi-element fields like PREREQUISITES and\nENUM_POSSIBLE_VALUES, these functions read multiple consecutive array\nelements using expressions like \u0027enum_obj[elem + reqs]\u0027 and\n\u0027enum_obj[elem + pos_values]\u0027 within nested loops.\n\nThe bug is that the bounds check only validated elem, but did not consider\nthe additional offset when accessing elem + reqs or elem + pos_values.\n\nThe fix changes the bounds check to validate the actual accessed index."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:54.036Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680"
},
{
"url": "https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad"
},
{
"url": "https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd"
},
{
"url": "https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206"
}
],
"title": "platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71101",
"datePublished": "2026-01-13T15:34:59.717Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-02-09T08:34:54.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22111 (GCVE-0-2025-22111)
Vulnerability from cvelistv5
Published
2025-04-16 14:12
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to
br_ioctl_call(), which causes unnecessary RTNL dance and the splat
below [0] under RTNL pressure.
Let's say Thread A is trying to detach a device from a bridge and
Thread B is trying to remove the bridge.
In dev_ioctl(), Thread A bumps the bridge device's refcnt by
netdev_hold() and releases RTNL because the following br_ioctl_call()
also re-acquires RTNL.
In the race window, Thread B could acquire RTNL and try to remove
the bridge device. Then, rtnl_unlock() by Thread B will release RTNL
and wait for netdev_put() by Thread A.
Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),
which may take long under RTNL pressure, resulting in the splat by
Thread B.
Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)
---------------------- ----------------------
sock_ioctl sock_ioctl
`- sock_do_ioctl `- br_ioctl_call
`- dev_ioctl `- br_ioctl_stub
|- rtnl_lock |
|- dev_ifsioc '
' |- dev = __dev_get_by_name(...)
|- netdev_hold(dev, ...) .
/ |- rtnl_unlock ------. |
| |- br_ioctl_call `---> |- rtnl_lock
Race | | `- br_ioctl_stub |- br_del_bridge
Window | | | |- dev = __dev_get_by_name(...)
| | | May take long | `- br_dev_delete(dev, ...)
| | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)
| | | | `- rtnl_unlock
\ | |- rtnl_lock <-' `- netdev_run_todo
| |- ... `- netdev_run_todo
| `- rtnl_unlock |- __rtnl_unlock
| |- netdev_wait_allrefs_any
|- netdev_put(dev, ...) <----------------'
Wait refcnt decrement
and log splat below
To avoid blocking SIOCBRDELBR unnecessarily, let's not call
dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.
In the dev_ioctl() path, we do the following:
1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()
2. Check CAP_NET_ADMIN in dev_ioctl()
3. Call dev_load() in dev_ioctl()
4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()
3. can be done by request_module() in br_ioctl_call(), so we move
1., 2., and 4. to br_ioctl_stub().
Note that 2. is also checked later in add_del_if(), but it's better
performed before RTNL.
SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since
the pre-git era, and there seems to be no specific reason to process
them there.
[0]:
unregister_netdevice: waiting for wpan3 to become free. Usage count = 2
ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at
__netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]
netdev_hold include/linux/netdevice.h:4311 [inline]
dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624
dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826
sock_do_ioctl+0x1ca/0x260 net/socket.c:1213
sock_ioctl+0x23a/0x6c0 net/socket.c:1318
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 893b195875340cb44b54c9db99e708145f1210e8 Version: 893b195875340cb44b54c9db99e708145f1210e8 Version: 893b195875340cb44b54c9db99e708145f1210e8 Version: 893b195875340cb44b54c9db99e708145f1210e8 Version: 893b195875340cb44b54c9db99e708145f1210e8 Version: 893b195875340cb44b54c9db99e708145f1210e8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/if_bridge.h",
"net/bridge/br_ioctl.c",
"net/bridge/br_private.h",
"net/core/dev_ioctl.c",
"net/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f51e471cb1577d510c3096e126678e1ea20d2efd",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "338a0f3c66aef4ee13052880d02200aae8f2d8a8",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "d767ce15045df510f55cdd2af5df0eee71f928d0",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "4888e1dcc341e9a132ef7b8516234b3c3296de56",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "00fe0ac64efd1f5373b3dd9f1f84b19235371e39",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
},
{
"lessThan": "ed3ba9b6e280e14cc3148c1b226ba453f02fa76c",
"status": "affected",
"version": "893b195875340cb44b54c9db99e708145f1210e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/if_bridge.h",
"net/bridge/br_ioctl.c",
"net/bridge/br_private.h",
"net/core/dev_ioctl.c",
"net/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.\n\nSIOCBRDELIF is passed to dev_ioctl() first and later forwarded to\nbr_ioctl_call(), which causes unnecessary RTNL dance and the splat\nbelow [0] under RTNL pressure.\n\nLet\u0027s say Thread A is trying to detach a device from a bridge and\nThread B is trying to remove the bridge.\n\nIn dev_ioctl(), Thread A bumps the bridge device\u0027s refcnt by\nnetdev_hold() and releases RTNL because the following br_ioctl_call()\nalso re-acquires RTNL.\n\nIn the race window, Thread B could acquire RTNL and try to remove\nthe bridge device. Then, rtnl_unlock() by Thread B will release RTNL\nand wait for netdev_put() by Thread A.\n\nThread A, however, must hold RTNL after the unlock in dev_ifsioc(),\nwhich may take long under RTNL pressure, resulting in the splat by\nThread B.\n\n Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)\n ---------------------- ----------------------\n sock_ioctl sock_ioctl\n `- sock_do_ioctl `- br_ioctl_call\n `- dev_ioctl `- br_ioctl_stub\n |- rtnl_lock |\n |- dev_ifsioc \u0027\n \u0027 |- dev = __dev_get_by_name(...)\n |- netdev_hold(dev, ...) .\n / |- rtnl_unlock ------. |\n | |- br_ioctl_call `---\u003e |- rtnl_lock\n Race | | `- br_ioctl_stub |- br_del_bridge\n Window | | | |- dev = __dev_get_by_name(...)\n | | | May take long | `- br_dev_delete(dev, ...)\n | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)\n | | | | `- rtnl_unlock\n \\ | |- rtnl_lock \u003c-\u0027 `- netdev_run_todo\n | |- ... `- netdev_run_todo\n | `- rtnl_unlock |- __rtnl_unlock\n | |- netdev_wait_allrefs_any\n |- netdev_put(dev, ...) \u003c----------------\u0027\n Wait refcnt decrement\n and log splat below\n\nTo avoid blocking SIOCBRDELBR unnecessarily, let\u0027s not call\ndev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.\n\nIn the dev_ioctl() path, we do the following:\n\n 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()\n 2. Check CAP_NET_ADMIN in dev_ioctl()\n 3. Call dev_load() in dev_ioctl()\n 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()\n\n3. can be done by request_module() in br_ioctl_call(), so we move\n1., 2., and 4. to br_ioctl_stub().\n\nNote that 2. is also checked later in add_del_if(), but it\u0027s better\nperformed before RTNL.\n\nSIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since\nthe pre-git era, and there seems to be no specific reason to process\nthem there.\n\n[0]:\nunregister_netdevice: waiting for wpan3 to become free. Usage count = 2\nref_tracker: wpan3@ffff8880662d8608 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]\n netdev_hold include/linux/netdevice.h:4311 [inline]\n dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624\n dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826\n sock_do_ioctl+0x1ca/0x260 net/socket.c:1213\n sock_ioctl+0x23a/0x6c0 net/socket.c:1318\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:54.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f51e471cb1577d510c3096e126678e1ea20d2efd"
},
{
"url": "https://git.kernel.org/stable/c/338a0f3c66aef4ee13052880d02200aae8f2d8a8"
},
{
"url": "https://git.kernel.org/stable/c/d767ce15045df510f55cdd2af5df0eee71f928d0"
},
{
"url": "https://git.kernel.org/stable/c/4888e1dcc341e9a132ef7b8516234b3c3296de56"
},
{
"url": "https://git.kernel.org/stable/c/00fe0ac64efd1f5373b3dd9f1f84b19235371e39"
},
{
"url": "https://git.kernel.org/stable/c/ed3ba9b6e280e14cc3148c1b226ba453f02fa76c"
}
],
"title": "net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22111",
"datePublished": "2025-04-16T14:12:57.719Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-01-19T12:17:54.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23145 (GCVE-0-2026-23145)
Vulnerability from cvelistv5
Published
2026-02-14 15:36
Modified
2026-02-14 15:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
The error branch for ext4_xattr_inode_update_ref forget to release the
refcount for iloc.bh. Find this when review code.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 Version: 505e69f76ac497e788f4ea0267826ec7266b40c8 Version: 3d6269028246f4484bfed403c947a114bb583631 Version: 79ea7f3e11effe1bd9e753172981d9029133a278 Version: 6b879c4c6bbaab03c0ad2a983953bd1410bb165e Version: 57295e835408d8d425bef58da5253465db3d6888 Version: 57295e835408d8d425bef58da5253465db3d6888 Version: ea39e712c2f5ae148ee5515798ae03523673e002 Version: 440b003f449a4ff2a00b08c8eab9ba5cd28f3943 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f",
"status": "affected",
"version": "1cfb3e4ddbdc8e02e637b8852540bd4718bf4814",
"versionType": "git"
},
{
"lessThan": "6241cd1d0acc2363016ac55b8773ba1332dd59d7",
"status": "affected",
"version": "505e69f76ac497e788f4ea0267826ec7266b40c8",
"versionType": "git"
},
{
"lessThan": "3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626",
"status": "affected",
"version": "3d6269028246f4484bfed403c947a114bb583631",
"versionType": "git"
},
{
"lessThan": "0b06cde92f2f960f4ebe3c988c69f2711f2a24dc",
"status": "affected",
"version": "79ea7f3e11effe1bd9e753172981d9029133a278",
"versionType": "git"
},
{
"lessThan": "8e8542c539927ae3898a4d02941f84e252e2dea1",
"status": "affected",
"version": "6b879c4c6bbaab03c0ad2a983953bd1410bb165e",
"versionType": "git"
},
{
"lessThan": "06e26287f2e349a28ad363941ffd9076bfed8b2e",
"status": "affected",
"version": "57295e835408d8d425bef58da5253465db3d6888",
"versionType": "git"
},
{
"lessThan": "d250bdf531d9cd4096fedbb9f172bb2ca660c868",
"status": "affected",
"version": "57295e835408d8d425bef58da5253465db3d6888",
"versionType": "git"
},
{
"status": "affected",
"version": "ea39e712c2f5ae148ee5515798ae03523673e002",
"versionType": "git"
},
{
"status": "affected",
"version": "440b003f449a4ff2a00b08c8eab9ba5cd28f3943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix iloc.bh leak in ext4_xattr_inode_update_ref\n\nThe error branch for ext4_xattr_inode_update_ref forget to release the\nrefcount for iloc.bh. Find this when review code."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:36:10.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f"
},
{
"url": "https://git.kernel.org/stable/c/6241cd1d0acc2363016ac55b8773ba1332dd59d7"
},
{
"url": "https://git.kernel.org/stable/c/3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626"
},
{
"url": "https://git.kernel.org/stable/c/0b06cde92f2f960f4ebe3c988c69f2711f2a24dc"
},
{
"url": "https://git.kernel.org/stable/c/8e8542c539927ae3898a4d02941f84e252e2dea1"
},
{
"url": "https://git.kernel.org/stable/c/06e26287f2e349a28ad363941ffd9076bfed8b2e"
},
{
"url": "https://git.kernel.org/stable/c/d250bdf531d9cd4096fedbb9f172bb2ca660c868"
}
],
"title": "ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23145",
"datePublished": "2026-02-14T15:36:10.207Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-02-14T15:36:10.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22984 (GCVE-0-2026-22984)
Vulnerability from cvelistv5
Published
2026-01-23 15:24
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.
[ idryomov: changelog ]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 Version: cd1a677cad994021b19665ed476aea63f5d54f31 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "194cfe2af4d2a1de599d39dad636b47c2f6c2c96",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "79fe3511db416d2f2edcfd93569807cb02736e5e",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "ef208ea331ef688729f64089b895ed1b49e842e3",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2802ef3380fa8c4a08cda51ec1f085b1a712e9e2",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2d653bb63d598ae4b096dd678744bdcc34ee89e8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "818156caffbf55cb4d368f9c3cac64e458fb49c9",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in handle_auth_done()\n\nPerform an explicit bounds check on payload_len to avoid a possible\nout-of-bounds access in the callout.\n\n[ idryomov: changelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:34.605Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96"
},
{
"url": "https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e"
},
{
"url": "https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3"
},
{
"url": "https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2"
},
{
"url": "https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8"
},
{
"url": "https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9"
}
],
"title": "libceph: prevent potential out-of-bounds reads in handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22984",
"datePublished": "2026-01-23T15:24:06.245Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:34.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68351 (GCVE-0-2025-68351)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix refcount leak in exfat_find
Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.
Function `exfat_get_dentry_set` would increase the reference counter of
`es->bh` on success. Therefore, `exfat_put_dentry_set` must be called
after `exfat_get_dentry_set` to ensure refcount consistency. This patch
relocate two checks to avoid possible leaks.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc9ce762525e73438d31b613f18bca92a4d3d578",
"status": "affected",
"version": "92075758782c5edb4c67d0da9e47586a624c22f7",
"versionType": "git"
},
{
"lessThan": "d009ff8959d28d2a33aeb96a5f7e7161c421d78f",
"status": "affected",
"version": "13940cef95491472760ca261b6713692ece9b946",
"versionType": "git"
},
{
"lessThan": "9aee8de970f18c2aaaa348e3de86c38e2d956c1d",
"status": "affected",
"version": "13940cef95491472760ca261b6713692ece9b946",
"versionType": "git"
},
{
"status": "affected",
"version": "0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d",
"versionType": "git"
},
{
"status": "affected",
"version": "6c627bcc1896ba62ec793d0c00da74f3c93ce3ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.12.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix refcount leak in exfat_find\n\nFix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.\n\nFunction `exfat_get_dentry_set` would increase the reference counter of\n`es-\u003ebh` on success. Therefore, `exfat_put_dentry_set` must be called\nafter `exfat_get_dentry_set` to ensure refcount consistency. This patch\nrelocate two checks to avoid possible leaks."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:46.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc9ce762525e73438d31b613f18bca92a4d3d578"
},
{
"url": "https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f"
},
{
"url": "https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d"
}
],
"title": "exfat: fix refcount leak in exfat_find",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68351",
"datePublished": "2025-12-24T10:32:42.683Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-02-09T08:31:46.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68776 (GCVE-0-2025-68776)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
Call Trace:
<TASK>
hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
__netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
__netif_receive_skb_one_core net/core/dev.c:6077 [inline]
__netif_receive_skb+0x72/0x380 net/core/dev.c:6192
netif_receive_skb_internal net/core/dev.c:6278 [inline]
netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0449f8e1ff
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
</TASK>
Add a NULL check immediately after __pskb_copy() to handle allocation
failures gracefully.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f266a683a4804dc499efc6c2206ef68efed029d0 Version: f266a683a4804dc499efc6c2206ef68efed029d0 Version: f266a683a4804dc499efc6c2206ef68efed029d0 Version: f266a683a4804dc499efc6c2206ef68efed029d0 Version: f266a683a4804dc499efc6c2206ef68efed029d0 Version: f266a683a4804dc499efc6c2206ef68efed029d0 Version: f266a683a4804dc499efc6c2206ef68efed029d0 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ce95a57d8a1f0e20b637cdeddaaed81831ca819",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "c851e43b88b40bb7c20176c51cbf4f8c8d960dd9",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "7be6d25f4d974e44918ba3a5d58ebb9d36879087",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "8f289fa12926aae44347ca7d490e216555d8f255",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "1742974c24a9c1f1fd2e5edca0cbaccb720b397a",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "6220d38a08f8837575cd8f830928b49a3a5a5095",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "188e0fa5a679570ea35474575e724d8211423d17",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/hsr: fix NULL pointer dereference in prp_get_untagged_frame()\n\nprp_get_untagged_frame() calls __pskb_copy() to create frame-\u003eskb_std\nbut doesn\u0027t check if the allocation failed. If __pskb_copy() returns\nNULL, skb_clone() is called with a NULL pointer, causing a crash:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041\nCode: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 \u003c43\u003e 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c\nRSP: 0018:ffffc9000d00f200 EFLAGS: 00010207\nRAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480\nRDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000\nRBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee\nR10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000\nR13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00\nFS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]\n hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741\n hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84\n __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966\n __netif_receive_skb_one_core net/core/dev.c:6077 [inline]\n __netif_receive_skb+0x72/0x380 net/core/dev.c:6192\n netif_receive_skb_internal net/core/dev.c:6278 [inline]\n netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337\n tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485\n tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0449f8e1ff\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48\nRSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff\nRDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8\nRBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001\nR13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003\n \u003c/TASK\u003e\n\nAdd a NULL check immediately after __pskb_copy() to handle allocation\nfailures gracefully."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:21.994Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819"
},
{
"url": "https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9"
},
{
"url": "https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087"
},
{
"url": "https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255"
},
{
"url": "https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a"
},
{
"url": "https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095"
},
{
"url": "https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17"
}
],
"title": "net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68776",
"datePublished": "2026-01-13T15:28:52.766Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:21.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38057 (GCVE-0-2025-38057)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
espintcp: fix skb leaks
A few error paths are missing a kfree_skb.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv6/esp6.c",
"net/xfrm/espintcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05db2b850a2b8b17f3d1799f563ea1d550e05ed5",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "e2e1f50fc5ebd2826c4e8c558dc65434382d0c0b",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "d8d79cf8c2b7475c22f9874eb844bcc80f858b13",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "28756f22de48d25256ed89234b66b9037a3f0157",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "eb058693dfc93ed7a9c365adb899fedd648b9d9f",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "63c1f19a3be3169e51a5812d22a6d0c879414076",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv6/esp6.c",
"net/xfrm/espintcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: fix skb leaks\n\nA few error paths are missing a kfree_skb."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:07.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05db2b850a2b8b17f3d1799f563ea1d550e05ed5"
},
{
"url": "https://git.kernel.org/stable/c/e2e1f50fc5ebd2826c4e8c558dc65434382d0c0b"
},
{
"url": "https://git.kernel.org/stable/c/d8d79cf8c2b7475c22f9874eb844bcc80f858b13"
},
{
"url": "https://git.kernel.org/stable/c/28756f22de48d25256ed89234b66b9037a3f0157"
},
{
"url": "https://git.kernel.org/stable/c/eb058693dfc93ed7a9c365adb899fedd648b9d9f"
},
{
"url": "https://git.kernel.org/stable/c/63c1f19a3be3169e51a5812d22a6d0c879414076"
}
],
"title": "espintcp: fix skb leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38057",
"datePublished": "2025-06-18T09:33:37.148Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2026-02-06T16:31:07.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68185 (GCVE-0-2025-68185)
Vulnerability from cvelistv5
Published
2025-12-16 13:43
Modified
2026-01-02 15:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing
Theoretically it's an oopsable race, but I don't believe one can manage
to hit it on real hardware; might become doable on a KVM, but it still
won't be easy to attack.
Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of
put_unaligned_be64(), we can put that under ->d_lock and be done with that.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6025f641a0e30afdc5aa62017397b1860ad9f677",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6cafe71eb3b5579b245ba1bd528a181e77f3df1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa4daf7d11e45b72aad5d943a7ab991f869fff79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "504b3fb9948a9e96ebbabdee0d33966a8bab15cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eacfd08b26a062f1095b18719715bc82ad35312e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40be5b9080114f18b0cea386db415b68a7273c1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f5e570eaab36a110c6ffda32b87c51170990c2d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a890a2e339b929dbd843328f9a92a1625404fe63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing\n\nTheoretically it\u0027s an oopsable race, but I don\u0027t believe one can manage\nto hit it on real hardware; might become doable on a KVM, but it still\nwon\u0027t be easy to attack.\n\nAnyway, it\u0027s easy to deal with - since xdr_encode_hyper() is just a call of\nput_unaligned_be64(), we can put that under -\u003ed_lock and be done with that."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:15.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6025f641a0e30afdc5aa62017397b1860ad9f677"
},
{
"url": "https://git.kernel.org/stable/c/e6cafe71eb3b5579b245ba1bd528a181e77f3df1"
},
{
"url": "https://git.kernel.org/stable/c/fa4daf7d11e45b72aad5d943a7ab991f869fff79"
},
{
"url": "https://git.kernel.org/stable/c/504b3fb9948a9e96ebbabdee0d33966a8bab15cb"
},
{
"url": "https://git.kernel.org/stable/c/eacfd08b26a062f1095b18719715bc82ad35312e"
},
{
"url": "https://git.kernel.org/stable/c/40be5b9080114f18b0cea386db415b68a7273c1a"
},
{
"url": "https://git.kernel.org/stable/c/f5e570eaab36a110c6ffda32b87c51170990c2d1"
},
{
"url": "https://git.kernel.org/stable/c/a890a2e339b929dbd843328f9a92a1625404fe63"
}
],
"title": "nfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68185",
"datePublished": "2025-12-16T13:43:02.894Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2026-01-02T15:34:15.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22976 (GCVE-0-2026-22976)
Vulnerability from cvelistv5
Published
2026-01-21 06:57
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class
itself is active.
Two qfq_class objects may point to the same leaf_qdisc. This happens
when:
1. one QFQ qdisc is attached to the dev as the root qdisc, and
2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()
/ qdisc_put()) and is pending to be destroyed, as in function
tc_new_tfilter.
When packets are enqueued through the root QFQ qdisc, the shared
leaf_qdisc->q.qlen increases. At the same time, the second QFQ
qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters
qfq_reset() with its own q->q.qlen == 0, but its class's leaf
qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate
an inactive aggregate and trigger a null-deref in qfq_deactivate_agg:
[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 0.903571] #PF: supervisor write access in kernel mode
[ 0.903860] #PF: error_code(0x0002) - not-present page
[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0
[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI
[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE
[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))
[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0
Code starting with the faulting instruction
===========================================
0: 0f 84 4d 01 00 00 je 0x153
6: 48 89 70 18 mov %rsi,0x18(%rax)
a: 8b 4b 10 mov 0x10(%rbx),%ecx
d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx
14: 48 8b 78 08 mov 0x8(%rax),%rdi
18: 48 d3 e2 shl %cl,%rdx
1b: 48 21 f2 and %rsi,%rdx
1e: 48 2b 13 sub (%rbx),%rdx
21: 48 8b 30 mov (%rax),%rsi
24: 48 d3 ea shr %cl,%rdx
27: 8b 4b 18 mov 0x18(%rbx),%ecx
...
[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246
[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000
[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000
[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000
[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880
[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000
[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0
[ 0.910247] PKRU: 55555554
[ 0.910391] Call Trace:
[ 0.910527] <TASK>
[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)
[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)
[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)
[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)
[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)
[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)
[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)
[ 0.912484] netlink_sendmsg (net/netlink/af
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0545a3037773512d3448557ba048cebb73b3e4af Version: 0545a3037773512d3448557ba048cebb73b3e4af Version: 0545a3037773512d3448557ba048cebb73b3e4af Version: 0545a3037773512d3448557ba048cebb73b3e4af Version: 0545a3037773512d3448557ba048cebb73b3e4af Version: 0545a3037773512d3448557ba048cebb73b3e4af Version: 0545a3037773512d3448557ba048cebb73b3e4af |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6116a83ec167d3ab1390cded854d237481f41b63",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "0809c4bc06c9c961222df29f2eccfd449304056f",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "cdb24200b043438a144df501f1ebbd926bb1a2c7",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "43497313d0da3e12b5cfcd97aa17bf48ee663f95",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "51ffd447bc37bf1a5776b85523f51d2bc69977f6",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
},
{
"lessThan": "c1d73b1480235731e35c81df70b08f4714a7d095",
"status": "affected",
"version": "0545a3037773512d3448557ba048cebb73b3e4af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset\n\n`qfq_class-\u003eleaf_qdisc-\u003eq.qlen \u003e 0` does not imply that the class\nitself is active.\n\nTwo qfq_class objects may point to the same leaf_qdisc. This happens\nwhen:\n\n1. one QFQ qdisc is attached to the dev as the root qdisc, and\n\n2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()\n/ qdisc_put()) and is pending to be destroyed, as in function\ntc_new_tfilter.\n\nWhen packets are enqueued through the root QFQ qdisc, the shared\nleaf_qdisc-\u003eq.qlen increases. At the same time, the second QFQ\nqdisc triggers qdisc_put and qdisc_destroy: the qdisc enters\nqfq_reset() with its own q-\u003eq.qlen == 0, but its class\u0027s leaf\nqdisc-\u003eq.qlen \u003e 0. Therefore, the qfq_reset would wrongly deactivate\nan inactive aggregate and trigger a null-deref in qfq_deactivate_agg:\n\n[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 0.903571] #PF: supervisor write access in kernel mode\n[ 0.903860] #PF: error_code(0x0002) - not-present page\n[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0\n[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI\n[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE\n[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))\n[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0\n\nCode starting with the faulting instruction\n===========================================\n 0:\t0f 84 4d 01 00 00 \tje 0x153\n 6:\t48 89 70 18 \tmov %rsi,0x18(%rax)\n a:\t8b 4b 10 \tmov 0x10(%rbx),%ecx\n d:\t48 c7 c2 ff ff ff ff \tmov $0xffffffffffffffff,%rdx\n 14:\t48 8b 78 08 \tmov 0x8(%rax),%rdi\n 18:\t48 d3 e2 \tshl %cl,%rdx\n 1b:\t48 21 f2 \tand %rsi,%rdx\n 1e:\t48 2b 13 \tsub (%rbx),%rdx\n 21:\t48 8b 30 \tmov (%rax),%rsi\n 24:\t48 d3 ea \tshr %cl,%rdx\n 27:\t8b 4b 18 \tmov 0x18(%rbx),%ecx\n\t...\n[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246\n[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000\n[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000\n[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000\n[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880\n[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000\n[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0\n[ 0.910247] PKRU: 55555554\n[ 0.910391] Call Trace:\n[ 0.910527] \u003cTASK\u003e\n[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)\n[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)\n[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)\n[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)\n[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\n[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)\n[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)\n[ 0.912484] netlink_sendmsg (net/netlink/af\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:25.989Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63"
},
{
"url": "https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f"
},
{
"url": "https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7"
},
{
"url": "https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb"
},
{
"url": "https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95"
},
{
"url": "https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6"
},
{
"url": "https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095"
}
],
"title": "net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22976",
"datePublished": "2026-01-21T06:57:23.939Z",
"dateReserved": "2026-01-13T15:37:45.935Z",
"dateUpdated": "2026-02-09T08:36:25.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68808 (GCVE-0-2025-68808)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: initialize local pointers upon transfer of memory ownership
vidtv_channel_si_init() creates a temporary list (program, service, event)
and ownership of the memory itself is transferred to the PAT/SDT/EIT
tables through vidtv_psi_pat_program_assign(),
vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership
transfer was completed is not initialized to NULL. This causes the
vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
in the flow that jumps to free_eit, the memory that was freed by
vidtv_psi_*_table_destroy() can be accessed again by
vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
is freed once again.
Therefore, to prevent use-after-free and double-free vulnerability,
local pointers must be initialized to NULL when transferring memory
ownership.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3be8037960bccd13052cfdeba8805ad785041d70 Version: 3be8037960bccd13052cfdeba8805ad785041d70 Version: 3be8037960bccd13052cfdeba8805ad785041d70 Version: 3be8037960bccd13052cfdeba8805ad785041d70 Version: 3be8037960bccd13052cfdeba8805ad785041d70 Version: 3be8037960bccd13052cfdeba8805ad785041d70 Version: 3be8037960bccd13052cfdeba8805ad785041d70 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c342e294dac4988c8ada759b2f057246e48c5108",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "12ab6ebb37789b84073e83e4d9b14a5e0d133323",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "a69c7fd603bf5ad93177394fbd9711922ee81032",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "30f4d4e5224a9e44e9ceb3956489462319d804ce",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "98aabfe2d79f74613abc2b0b1cef08f97eaf5322",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: initialize local pointers upon transfer of memory ownership\n\nvidtv_channel_si_init() creates a temporary list (program, service, event)\nand ownership of the memory itself is transferred to the PAT/SDT/EIT\ntables through vidtv_psi_pat_program_assign(),\nvidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().\n\nThe problem here is that the local pointer where the memory ownership\ntransfer was completed is not initialized to NULL. This causes the\nvidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and\nin the flow that jumps to free_eit, the memory that was freed by\nvidtv_psi_*_table_destroy() can be accessed again by\nvidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it\nis freed once again.\n\nTherefore, to prevent use-after-free and double-free vulnerability,\nlocal pointers must be initialized to NULL when transferring memory\nownership."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:57.275Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108"
},
{
"url": "https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323"
},
{
"url": "https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e"
},
{
"url": "https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8"
},
{
"url": "https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032"
},
{
"url": "https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce"
},
{
"url": "https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322"
}
],
"title": "media: vidtv: initialize local pointers upon transfer of memory ownership",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68808",
"datePublished": "2026-01-13T15:29:15.164Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:57.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40363 (GCVE-0-2025-40363)
Vulnerability from cvelistv5
Published
2025-12-16 13:40
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix field-spanning memcpy warning in AH output
Fix field-spanning memcpy warnings in ah6_output() and
ah6_output_done() where extension headers are copied to/from IPv6
address fields, triggering fortify-string warnings about writes beyond
the 16-byte address fields.
memcpy: detected field-spanning write (size 40) of single field "&top_iph->saddr" at net/ipv6/ah6.c:439 (size 16)
WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439
The warnings are false positives as the extension headers are
intentionally placed after the IPv6 header in memory. Fix by properly
copying addresses and extension headers separately, and introduce
helper functions to avoid code duplication.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ah6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2da805a61ef5272a2773775ce14c3650adb84248",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9bf27de51bd6db5ff827780ec0eba55de230ba45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0bf756ae1e69fec5e6332c37830488315d6d771b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "75b16b2755e12999ad850756ddfb88ad4bfc7186",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f28dde240160f3c48a50d641d210ed6a3b9596ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c14cf41094136691c92ef756872570645d61f4a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b056f971bd72b373b7ae2025a8f3bd18f69653d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2327a3d6f65ce2fe2634546dde4a25ef52296fec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ah6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix field-spanning memcpy warning in AH output\n\nFix field-spanning memcpy warnings in ah6_output() and\nah6_output_done() where extension headers are copied to/from IPv6\naddress fields, triggering fortify-string warnings about writes beyond\nthe 16-byte address fields.\n\n memcpy: detected field-spanning write (size 40) of single field \"\u0026top_iph-\u003esaddr\" at net/ipv6/ah6.c:439 (size 16)\n WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439\n\nThe warnings are false positives as the extension headers are\nintentionally placed after the IPv6 header in memory. Fix by properly\ncopying addresses and extension headers separately, and introduce\nhelper functions to avoid code duplication."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:57.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2da805a61ef5272a2773775ce14c3650adb84248"
},
{
"url": "https://git.kernel.org/stable/c/9bf27de51bd6db5ff827780ec0eba55de230ba45"
},
{
"url": "https://git.kernel.org/stable/c/0bf756ae1e69fec5e6332c37830488315d6d771b"
},
{
"url": "https://git.kernel.org/stable/c/75b16b2755e12999ad850756ddfb88ad4bfc7186"
},
{
"url": "https://git.kernel.org/stable/c/f28dde240160f3c48a50d641d210ed6a3b9596ed"
},
{
"url": "https://git.kernel.org/stable/c/c14cf41094136691c92ef756872570645d61f4a1"
},
{
"url": "https://git.kernel.org/stable/c/b056f971bd72b373b7ae2025a8f3bd18f69653d3"
},
{
"url": "https://git.kernel.org/stable/c/2327a3d6f65ce2fe2634546dde4a25ef52296fec"
}
],
"title": "net: ipv6: fix field-spanning memcpy warning in AH output",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40363",
"datePublished": "2025-12-16T13:40:03.265Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:57.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68759 (GCVE-0-2025-68759)
Vulnerability from cvelistv5
Published
2026-01-05 09:32
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA
allocations in a loop. When an allocation fails, the previously
successful allocations are not freed on exit.
Fix that by jumping to err_free_rings label on error, which calls
rtl8180_free_rx_ring() to free the allocations. Remove the free of
rx_ring in rtl8180_init_rx_ring() error path, and set the freed
priv->rx_buf entry to null, to avoid double free.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f653211197f3841f383fa9757ef8ce182c6cf627 Version: f653211197f3841f383fa9757ef8ce182c6cf627 Version: f653211197f3841f383fa9757ef8ce182c6cf627 Version: f653211197f3841f383fa9757ef8ce182c6cf627 Version: f653211197f3841f383fa9757ef8ce182c6cf627 Version: f653211197f3841f383fa9757ef8ce182c6cf627 Version: f653211197f3841f383fa9757ef8ce182c6cf627 Version: f653211197f3841f383fa9757ef8ce182c6cf627 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3677c01891fb0239361e444afee8398868e34bdf",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "89caaeee8dd95fae8bb4f4964e6fe3ca688500c4",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a4fb7cca9837378878e6c94d9e7af019c8fdfcdb",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "bf8513dfa31ea015c9cf415796dca2113d293840",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "ee7db11742b30641f21306105ad27a275e3c61d7",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a813a74570212cb5f3a7d3b05c0cb0cd00bace1d",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "c9d1c4152e6d32fa74034464854bee262a60bc43",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "9b5b9c042b30befc5b37e4539ace95af70843473",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()\n\nIn rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA\nallocations in a loop. When an allocation fails, the previously\nsuccessful allocations are not freed on exit.\n\nFix that by jumping to err_free_rings label on error, which calls\nrtl8180_free_rx_ring() to free the allocations. Remove the free of\nrx_ring in rtl8180_init_rx_ring() error path, and set the freed\npriv-\u003erx_buf entry to null, to avoid double free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:03.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3677c01891fb0239361e444afee8398868e34bdf"
},
{
"url": "https://git.kernel.org/stable/c/89caaeee8dd95fae8bb4f4964e6fe3ca688500c4"
},
{
"url": "https://git.kernel.org/stable/c/a4fb7cca9837378878e6c94d9e7af019c8fdfcdb"
},
{
"url": "https://git.kernel.org/stable/c/bf8513dfa31ea015c9cf415796dca2113d293840"
},
{
"url": "https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7"
},
{
"url": "https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d"
},
{
"url": "https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43"
},
{
"url": "https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473"
}
],
"title": "wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68759",
"datePublished": "2026-01-05T09:32:32.174Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:03.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36903 (GCVE-0-2024-36903)
Vulnerability from cvelistv5
Published
2024-05-30 15:29
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix potential uninit-value access in __ip6_make_skb()
As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in
__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags
instead of testing HDRINCL on the socket to avoid a race condition which
causes uninit-value access.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 605b056d63302ae84eb136e88d4df49124bd5e0d Version: d65ff2fe877c471aa6e79efa7bd8ff66e147c317 Version: 2c9cefc142c1dc2759e19a92d3b2b3715e985beb Version: ea30388baebcce37fd594d425a65037ca35e59e8 Version: ea30388baebcce37fd594d425a65037ca35e59e8 Version: ea30388baebcce37fd594d425a65037ca35e59e8 Version: 165370522cc48127da564a08584a7391e6341908 Version: f394f690a30a5ec0413c62777a058eaf3d6e10d5 Version: 0cf600ca1bdf1d52df977516ee6cee0cadb1f6b1 Version: 02ed5700f40445af02d1c97db25ffc2d04971d9f |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-30T18:50:05.807509Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:08.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:30:07.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59d74c843ebf46264c7903726cf6f2673a93b07a",
"status": "affected",
"version": "605b056d63302ae84eb136e88d4df49124bd5e0d",
"versionType": "git"
},
{
"lessThan": "40e5444a3ac315b60e94d82226b73cd82145d09e",
"status": "affected",
"version": "d65ff2fe877c471aa6e79efa7bd8ff66e147c317",
"versionType": "git"
},
{
"lessThan": "a05c1ede50e9656f0752e523c7b54f3a3489e9a8",
"status": "affected",
"version": "2c9cefc142c1dc2759e19a92d3b2b3715e985beb",
"versionType": "git"
},
{
"lessThan": "68c8ba16ab712eb709c6bab80ff151079d11d97a",
"status": "affected",
"version": "ea30388baebcce37fd594d425a65037ca35e59e8",
"versionType": "git"
},
{
"lessThan": "2367bf254f3a27ecc6e229afd7a8b0a1395f7be3",
"status": "affected",
"version": "ea30388baebcce37fd594d425a65037ca35e59e8",
"versionType": "git"
},
{
"lessThan": "4e13d3a9c25b7080f8a619f961e943fe08c2672c",
"status": "affected",
"version": "ea30388baebcce37fd594d425a65037ca35e59e8",
"versionType": "git"
},
{
"status": "affected",
"version": "165370522cc48127da564a08584a7391e6341908",
"versionType": "git"
},
{
"status": "affected",
"version": "f394f690a30a5ec0413c62777a058eaf3d6e10d5",
"versionType": "git"
},
{
"status": "affected",
"version": "0cf600ca1bdf1d52df977516ee6cee0cadb1f6b1",
"versionType": "git"
},
{
"status": "affected",
"version": "02ed5700f40445af02d1c97db25ffc2d04971d9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "6.1.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.313",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix potential uninit-value access in __ip6_make_skb()\n\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6-\u003eflowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:45.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59d74c843ebf46264c7903726cf6f2673a93b07a"
},
{
"url": "https://git.kernel.org/stable/c/40e5444a3ac315b60e94d82226b73cd82145d09e"
},
{
"url": "https://git.kernel.org/stable/c/a05c1ede50e9656f0752e523c7b54f3a3489e9a8"
},
{
"url": "https://git.kernel.org/stable/c/68c8ba16ab712eb709c6bab80ff151079d11d97a"
},
{
"url": "https://git.kernel.org/stable/c/2367bf254f3a27ecc6e229afd7a8b0a1395f7be3"
},
{
"url": "https://git.kernel.org/stable/c/4e13d3a9c25b7080f8a619f961e943fe08c2672c"
}
],
"title": "ipv6: Fix potential uninit-value access in __ip6_make_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36903",
"datePublished": "2024-05-30T15:29:04.866Z",
"dateReserved": "2024-05-30T15:25:07.066Z",
"dateUpdated": "2026-01-19T12:17:45.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71197 (GCVE-0-2025-71197)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
w1: therm: Fix off-by-one buffer overflow in alarms_store
The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
bytes and a NUL terminator is appended. However, the 'size' argument
does not account for this extra byte. The original code then allocated
'size' bytes and used strcpy() to copy 'buf', which always writes one
byte past the allocated buffer since strcpy() copies until the NUL
terminator at index 'size'.
Fix this by parsing the 'buf' parameter directly using simple_strtoll()
without allocating any intermediate memory or string copying. This
removes the overflow while simplifying the code.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e2c94d6f572079511945e64537eb1218643f2e68 Version: e2c94d6f572079511945e64537eb1218643f2e68 Version: e2c94d6f572079511945e64537eb1218643f2e68 Version: e2c94d6f572079511945e64537eb1218643f2e68 Version: e2c94d6f572079511945e64537eb1218643f2e68 Version: e2c94d6f572079511945e64537eb1218643f2e68 Version: e2c94d6f572079511945e64537eb1218643f2e68 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/w1/slaves/w1_therm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "060b08d72a38b158a7f850d4b83c17c2969e0f6b",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "6a5820ecfa5a76c3d3e154802c8c15f391ef442e",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "e6b2609af21b5cccc9559339591b8a2cbf884169",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
},
{
"lessThan": "761fcf46a1bd797bd32d23f3ea0141ffd437668a",
"status": "affected",
"version": "e2c94d6f572079511945e64537eb1218643f2e68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/w1/slaves/w1_therm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: therm: Fix off-by-one buffer overflow in alarms_store\n\nThe sysfs buffer passed to alarms_store() is allocated with \u0027size + 1\u0027\nbytes and a NUL terminator is appended. However, the \u0027size\u0027 argument\ndoes not account for this extra byte. The original code then allocated\n\u0027size\u0027 bytes and used strcpy() to copy \u0027buf\u0027, which always writes one\nbyte past the allocated buffer since strcpy() copies until the NUL\nterminator at index \u0027size\u0027.\n\nFix this by parsing the \u0027buf\u0027 parameter directly using simple_strtoll()\nwithout allocating any intermediate memory or string copying. This\nremoves the overflow while simplifying the code."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:22.910Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95"
},
{
"url": "https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b"
},
{
"url": "https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf"
},
{
"url": "https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e"
},
{
"url": "https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0"
},
{
"url": "https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169"
},
{
"url": "https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a"
}
],
"title": "w1: therm: Fix off-by-one buffer overflow in alarms_store",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71197",
"datePublished": "2026-02-04T16:07:32.198Z",
"dateReserved": "2026-01-31T11:36:51.192Z",
"dateUpdated": "2026-02-09T08:36:22.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39885 (GCVE-0-2025-39885)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix recursive semaphore deadlock in fiemap call
syzbot detected a OCFS2 hang due to a recursive semaphore on a
FS_IOC_FIEMAP of the extent list on a specially crafted mmap file.
context_switch kernel/sched/core.c:5357 [inline]
__schedule+0x1798/0x4cc0 kernel/sched/core.c:6961
__schedule_loop kernel/sched/core.c:7043 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7058
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115
rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591
ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142
do_page_mkwrite+0x14d/0x310 mm/memory.c:3361
wp_page_shared mm/memory.c:3762 [inline]
do_wp_page+0x268d/0x5800 mm/memory.c:3981
handle_pte_fault mm/memory.c:6068 [inline]
__handle_mm_fault+0x1033/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]
RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26
Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89
f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f
1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41
RSP: 0018:ffffc9000403f950 EFLAGS: 00050256
RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038
RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060
RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42
R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098
R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060
copy_to_user include/linux/uaccess.h:225 [inline]
fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145
ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806
ioctl_fiemap fs/ioctl.c:220 [inline]
do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532
__do_sys_ioctl fs/ioctl.c:596 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5f13850fd9
RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9
RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004
RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0
R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b
ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since
v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the
extent list of this running mmap executable. The user supplied buffer to
hold the fiemap information page faults calling ocfs2_page_mkwrite() which
will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same
semaphore. This recursive semaphore will hold filesystem locks and causes
a hang of the fileystem.
The ip_alloc_sem protects the inode extent list and size. Release the
read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()
and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock
on the last extent but simplifies the error path.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 Version: 00dc417fa3e763345b34ccb6034d72de76eea0a1 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:25.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16e518ca84dfe860c20a62f3615e14e8af0ace57",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "7e1514bd44ef68007703c752c99ff7319f35bce6",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "ef30404980e4c832ef9bba1b10c08f67fa77a9ec",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "36054554772f95d090eb45793faf6aa3c0254b02",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "0709bc11b942870fc0a7be150e42aea42321093a",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "9efcb7a8b97310efed995397941a292cf89fa94f",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
},
{
"lessThan": "04100f775c2ea501927f508f17ad824ad1f23c8d",
"status": "affected",
"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix recursive semaphore deadlock in fiemap call\n\nsyzbot detected a OCFS2 hang due to a recursive semaphore on a\nFS_IOC_FIEMAP of the extent list on a specially crafted mmap file.\n\ncontext_switch kernel/sched/core.c:5357 [inline]\n __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961\n __schedule_loop kernel/sched/core.c:7043 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:7058\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115\n rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185\n __down_write_common kernel/locking/rwsem.c:1317 [inline]\n __down_write kernel/locking/rwsem.c:1326 [inline]\n down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591\n ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142\n do_page_mkwrite+0x14d/0x310 mm/memory.c:3361\n wp_page_shared mm/memory.c:3762 [inline]\n do_wp_page+0x268d/0x5800 mm/memory.c:3981\n handle_pte_fault mm/memory.c:6068 [inline]\n __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195\n handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364\n do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387\n handle_page_fault arch/x86/mm/fault.c:1476 [inline]\n exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623\nRIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]\nRIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]\nRIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]\nRIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26\nCode: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89\nf7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 \u003cf3\u003e a4 0f\n1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41\nRSP: 0018:ffffc9000403f950 EFLAGS: 00050256\nRAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038\nRDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060\nRBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42\nR10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098\nR13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060\n copy_to_user include/linux/uaccess.h:225 [inline]\n fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145\n ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532\n __do_sys_ioctl fs/ioctl.c:596 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f13850fd9\nRSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9\nRDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004\nRBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0\nR13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b\n\nocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since\nv2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the\nextent list of this running mmap executable. The user supplied buffer to\nhold the fiemap information page faults calling ocfs2_page_mkwrite() which\nwill take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same\nsemaphore. This recursive semaphore will hold filesystem locks and causes\na hang of the fileystem.\n\nThe ip_alloc_sem protects the inode extent list and size. Release the\nread semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()\nand ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock\non the last extent but simplifies the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:32.512Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16e518ca84dfe860c20a62f3615e14e8af0ace57"
},
{
"url": "https://git.kernel.org/stable/c/7e1514bd44ef68007703c752c99ff7319f35bce6"
},
{
"url": "https://git.kernel.org/stable/c/ef30404980e4c832ef9bba1b10c08f67fa77a9ec"
},
{
"url": "https://git.kernel.org/stable/c/36054554772f95d090eb45793faf6aa3c0254b02"
},
{
"url": "https://git.kernel.org/stable/c/0709bc11b942870fc0a7be150e42aea42321093a"
},
{
"url": "https://git.kernel.org/stable/c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e"
},
{
"url": "https://git.kernel.org/stable/c/9efcb7a8b97310efed995397941a292cf89fa94f"
},
{
"url": "https://git.kernel.org/stable/c/04100f775c2ea501927f508f17ad824ad1f23c8d"
}
],
"title": "ocfs2: fix recursive semaphore deadlock in fiemap call",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39885",
"datePublished": "2025-09-23T06:00:52.584Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-11-03T17:44:25.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40001 (GCVE-0-2025-40001)
Vulnerability from cvelistv5
Published
2025-10-18 08:03
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
During the detaching of Marvell's SAS/SATA controller, the original code
calls cancel_delayed_work() in mvs_free() to cancel the delayed work
item mwq->work_q. However, if mwq->work_q is already running, the
cancel_delayed_work() may fail to cancel it. This can lead to
use-after-free scenarios where mvs_free() frees the mvs_info while
mvs_work_queue() is still executing and attempts to access the
already-freed mvs_info.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
mvs_pci_remove() |
mvs_free() | mvs_work_queue()
cancel_delayed_work() |
kfree(mvi) |
| mvi-> // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing
delayed work item completes before the mvs_info is deallocated.
This bug was found by static analysis.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 20b09c2992fefbe78f8cede7b404fb143a413c52 Version: 20b09c2992fefbe78f8cede7b404fb143a413c52 Version: 20b09c2992fefbe78f8cede7b404fb143a413c52 Version: 20b09c2992fefbe78f8cede7b404fb143a413c52 Version: 20b09c2992fefbe78f8cede7b404fb143a413c52 Version: 20b09c2992fefbe78f8cede7b404fb143a413c52 Version: 20b09c2992fefbe78f8cede7b404fb143a413c52 Version: 20b09c2992fefbe78f8cede7b404fb143a413c52 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mvsas/mv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6f68f219d4d4b92d7c781708d4afc4cc42961ec",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "aacd1777d4a795c387a20b9ca776e2c1225d05d7",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "6ba7e73cafd155a5d3abf560d315f0bab2b9d89f",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "c2c35cb2a31844f84f21ab364b38b4309d756d42",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "3c90f583d679c81a5a607a6ae0051251b6dee35b",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "00d3af40b158ebf7c7db2b3bbb1598a54bf28127",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "feb946d2fc9dc754bf3d594d42cd228860ff8647",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
},
{
"lessThan": "60cd16a3b7439ccb699d0bf533799eeb894fd217",
"status": "affected",
"version": "20b09c2992fefbe78f8cede7b404fb143a413c52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mvsas/mv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mvsas: Fix use-after-free bugs in mvs_work_queue\n\nDuring the detaching of Marvell\u0027s SAS/SATA controller, the original code\ncalls cancel_delayed_work() in mvs_free() to cancel the delayed work\nitem mwq-\u003ework_q. However, if mwq-\u003ework_q is already running, the\ncancel_delayed_work() may fail to cancel it. This can lead to\nuse-after-free scenarios where mvs_free() frees the mvs_info while\nmvs_work_queue() is still executing and attempts to access the\nalready-freed mvs_info.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nmvs_pci_remove() |\n mvs_free() | mvs_work_queue()\n cancel_delayed_work() |\n kfree(mvi) |\n | mvi-\u003e // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing\ndelayed work item completes before the mvs_info is deallocated.\n\nThis bug was found by static analysis."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:13.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6f68f219d4d4b92d7c781708d4afc4cc42961ec"
},
{
"url": "https://git.kernel.org/stable/c/aacd1777d4a795c387a20b9ca776e2c1225d05d7"
},
{
"url": "https://git.kernel.org/stable/c/6ba7e73cafd155a5d3abf560d315f0bab2b9d89f"
},
{
"url": "https://git.kernel.org/stable/c/c2c35cb2a31844f84f21ab364b38b4309d756d42"
},
{
"url": "https://git.kernel.org/stable/c/3c90f583d679c81a5a607a6ae0051251b6dee35b"
},
{
"url": "https://git.kernel.org/stable/c/00d3af40b158ebf7c7db2b3bbb1598a54bf28127"
},
{
"url": "https://git.kernel.org/stable/c/feb946d2fc9dc754bf3d594d42cd228860ff8647"
},
{
"url": "https://git.kernel.org/stable/c/60cd16a3b7439ccb699d0bf533799eeb894fd217"
}
],
"title": "scsi: mvsas: Fix use-after-free bugs in mvs_work_queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40001",
"datePublished": "2025-10-18T08:03:21.935Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-12-01T06:16:13.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40205 (GCVE-0-2025-40205)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-12-01 06:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
The function btrfs_encode_fh() does not properly account for the three
cases it handles.
Before writing to the file handle (fh), the function only returns to the
user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
However, when a parent exists and the root ID of the parent and the
inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
(10 dwords, 40 bytes).
If *max_len is not large enough, this write goes out of bounds because
BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
BTRFS_FID_SIZE_CONNECTABLE originally returned.
This results in an 8-byte out-of-bounds write at
fid->parent_root_objectid = parent_root_id.
A previous attempt to fix this issue was made but was lost.
https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
Although this issue does not seem to be easily triggerable, it is a
potential memory corruption bug that should be fixed. This patch
resolves the issue by ensuring the function returns the appropriate size
for all three cases and validates that *max_len is large enough before
writing any data.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "742b44342204e5dfe3926433823623c1a0c581df",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "d3a9a8e1275eb9b87f006b5562a287aea3f6885f",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "d91f6626133698362bba08fbc04bd72c466806d3",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "0276c8582488022f057b4cec21975a5edf079f47",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "361d67276eb8ec6be8f27f4ad6c6090459438fee",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "43143776b0a7604d873d1a6f3e552a00aa930224",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "dff4f9ff5d7f289e4545cc936362e01ed3252742",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid potential out-of-bounds in btrfs_encode_fh()\n\nThe function btrfs_encode_fh() does not properly account for the three\ncases it handles.\n\nBefore writing to the file handle (fh), the function only returns to the\nuser BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or\nBTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).\n\nHowever, when a parent exists and the root ID of the parent and the\ninode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT\n(10 dwords, 40 bytes).\n\nIf *max_len is not large enough, this write goes out of bounds because\nBTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than\nBTRFS_FID_SIZE_CONNECTABLE originally returned.\n\nThis results in an 8-byte out-of-bounds write at\nfid-\u003eparent_root_objectid = parent_root_id.\n\nA previous attempt to fix this issue was made but was lost.\n\nhttps://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/\n\nAlthough this issue does not seem to be easily triggerable, it is a\npotential memory corruption bug that should be fixed. This patch\nresolves the issue by ensuring the function returns the appropriate size\nfor all three cases and validates that *max_len is large enough before\nwriting any data."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:08.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db"
},
{
"url": "https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df"
},
{
"url": "https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f"
},
{
"url": "https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3"
},
{
"url": "https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47"
},
{
"url": "https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee"
},
{
"url": "https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224"
},
{
"url": "https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742"
}
],
"title": "btrfs: avoid potential out-of-bounds in btrfs_encode_fh()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40205",
"datePublished": "2025-11-12T21:56:35.403Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:08.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68766 (GCVE-0-2025-68766)
Vulnerability from cvelistv5
Published
2026-01-05 09:44
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
it results in an out of bounds access.
The code checks for invalid values, but doesn't set the error code. Return
-EINVAL in that case, instead of returning success.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 00fa3461c86dd289b441d4d5a6bb236064bd207b Version: 00fa3461c86dd289b441d4d5a6bb236064bd207b Version: 00fa3461c86dd289b441d4d5a6bb236064bd207b Version: 00fa3461c86dd289b441d4d5a6bb236064bd207b Version: 00fa3461c86dd289b441d4d5a6bb236064bd207b Version: 00fa3461c86dd289b441d4d5a6bb236064bd207b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "324c60a67c4b9668497940f667db14d216cc7b1b",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "c21c606ad398eeb86a0f3aaff9ba4f2665e286c6",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "3873afcb57614c1aaa5b6715554d6d1c22cac95a",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "09efe7cfbf919c4d763bc425473fcfee0dc98356",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()\n\nIf irq_domain_translate_twocell() sets \"hwirq\" to \u003e= MCHP_EIC_NIRQ (2) then\nit results in an out of bounds access.\n\nThe code checks for invalid values, but doesn\u0027t set the error code. Return\n-EINVAL in that case, instead of returning success."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:11.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/324c60a67c4b9668497940f667db14d216cc7b1b"
},
{
"url": "https://git.kernel.org/stable/c/c21c606ad398eeb86a0f3aaff9ba4f2665e286c6"
},
{
"url": "https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a"
},
{
"url": "https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356"
},
{
"url": "https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552"
},
{
"url": "https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7"
}
],
"title": "irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68766",
"datePublished": "2026-01-05T09:44:13.935Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-02-09T08:33:11.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68742 (GCVE-0-2025-68742)
Vulnerability from cvelistv5
Published
2025-12-24 12:09
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix invalid prog->stats access when update_effective_progs fails
Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:
__cgroup_bpf_detach
update_effective_progs
compute_effective_progs
bpf_prog_array_alloc <-- fault inject
purge_effective_progs
/* change to dummy_bpf_prog */
array->items[index] = &dummy_bpf_prog.prog
---softirq start---
__do_softirq
...
__cgroup_bpf_run_filter_skb
__bpf_prog_run_save_cb
bpf_prog_run
stats = this_cpu_ptr(prog->stats)
/* invalid memory access */
flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---
static_branch_dec(&cgroup_bpf_enabled_key[atype])
The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the members of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.
To fix it, skip updating stats when stats is NULL.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 492ecee892c2a4ba6a14903d5d586ff750b7e805 Version: 492ecee892c2a4ba6a14903d5d586ff750b7e805 Version: 492ecee892c2a4ba6a14903d5d586ff750b7e805 Version: 492ecee892c2a4ba6a14903d5d586ff750b7e805 Version: 492ecee892c2a4ba6a14903d5d586ff750b7e805 Version: 492ecee892c2a4ba6a14903d5d586ff750b7e805 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d1964773ff513c9bd530f7686d3e48b786fa6b",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "bf2c990b012100610c0f1ec5c4ea434da2d080c2",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "539137e3038ce6f953efd72110110f03c14c7d97",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "56905bb70c8b88421709bb4e32fcba617aa37d41",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "2579c356ccd35d06238b176e4b460978186d804b",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "7dc211c1159d991db609bdf4b0fb9033c04adcbc",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix invalid prog-\u003estats access when update_effective_progs fails\n\nSyzkaller triggers an invalid memory access issue following fault\ninjection in update_effective_progs. The issue can be described as\nfollows:\n\n__cgroup_bpf_detach\n update_effective_progs\n compute_effective_progs\n bpf_prog_array_alloc \u003c-- fault inject\n purge_effective_progs\n /* change to dummy_bpf_prog */\n array-\u003eitems[index] = \u0026dummy_bpf_prog.prog\n\n---softirq start---\n__do_softirq\n ...\n __cgroup_bpf_run_filter_skb\n __bpf_prog_run_save_cb\n bpf_prog_run\n stats = this_cpu_ptr(prog-\u003estats)\n /* invalid memory access */\n flags = u64_stats_update_begin_irqsave(\u0026stats-\u003esyncp)\n---softirq end---\n\n static_branch_dec(\u0026cgroup_bpf_enabled_key[atype])\n\nThe reason is that fault injection caused update_effective_progs to fail\nand then changed the original prog into dummy_bpf_prog.prog in\npurge_effective_progs. Then a softirq came, and accessing the members of\ndummy_bpf_prog.prog in the softirq triggers invalid mem access.\n\nTo fix it, skip updating stats when stats is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:46.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d1964773ff513c9bd530f7686d3e48b786fa6b"
},
{
"url": "https://git.kernel.org/stable/c/bf2c990b012100610c0f1ec5c4ea434da2d080c2"
},
{
"url": "https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97"
},
{
"url": "https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41"
},
{
"url": "https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b"
},
{
"url": "https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc"
}
],
"title": "bpf: Fix invalid prog-\u003estats access when update_effective_progs fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68742",
"datePublished": "2025-12-24T12:09:39.341Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-02-09T08:32:46.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71143 (GCVE-0-2025-71143)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: samsung: exynos-clkout: Assign .num before accessing .hws
Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with
__counted_by") annotated the hws member of 'struct clk_hw_onecell_data'
with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS)
about the number of elements in .hws[], so that it can warn when .hws[]
is accessed out of bounds. As noted in that change, the __counted_by
member must be initialized with the number of elements before the first
array access happens, otherwise there will be a warning from each access
prior to the initialization because the number of elements is zero. This
occurs in exynos_clkout_probe() due to .num being assigned after .hws[]
has been accessed:
UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18
index 0 is out of range for type 'clk_hw *[*]'
Move the .num initialization to before the first access of .hws[],
clearing up the warning.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/samsung/clk-exynos-clkout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236",
"status": "affected",
"version": "f316cdff8d677db9ad9c90acb44c4cd535b0ee27",
"versionType": "git"
},
{
"lessThan": "eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0",
"status": "affected",
"version": "f316cdff8d677db9ad9c90acb44c4cd535b0ee27",
"versionType": "git"
},
{
"lessThan": "a317f63255ebc3dac378c79c5bff4f8d0561c290",
"status": "affected",
"version": "f316cdff8d677db9ad9c90acb44c4cd535b0ee27",
"versionType": "git"
},
{
"lessThan": "cf33f0b7df13685234ccea7be7bfe316b60db4db",
"status": "affected",
"version": "f316cdff8d677db9ad9c90acb44c4cd535b0ee27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/samsung/clk-exynos-clkout.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: samsung: exynos-clkout: Assign .num before accessing .hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of \u0027struct clk_hw_onecell_data\u0027\nwith __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS)\nabout the number of elements in .hws[], so that it can warn when .hws[]\nis accessed out of bounds. As noted in that change, the __counted_by\nmember must be initialized with the number of elements before the first\narray access happens, otherwise there will be a warning from each access\nprior to the initialization because the number of elements is zero. This\noccurs in exynos_clkout_probe() due to .num being assigned after .hws[]\nhas been accessed:\n\n UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18\n index 0 is out of range for type \u0027clk_hw *[*]\u0027\n\nMove the .num initialization to before the first access of .hws[],\nclearing up the warning."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:40.761Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236"
},
{
"url": "https://git.kernel.org/stable/c/eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0"
},
{
"url": "https://git.kernel.org/stable/c/a317f63255ebc3dac378c79c5bff4f8d0561c290"
},
{
"url": "https://git.kernel.org/stable/c/cf33f0b7df13685234ccea7be7bfe316b60db4db"
}
],
"title": "clk: samsung: exynos-clkout: Assign .num before accessing .hws",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71143",
"datePublished": "2026-01-14T15:07:55.828Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-02-09T08:35:40.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40126 (GCVE-0-2025-40126)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. This commit fixes a couple of bad
calculations. This will fix the return value of copy_from_user and
copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada Version: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada Version: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada Version: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada Version: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada Version: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada Version: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada Version: cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada Version: 1731d90d8a558ecb20cdee0c2c001ae8e15c251d Version: b0580eadc19ff3a617a7d07cfaf2a985153c114e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/U1memcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bf3dc3a2156f1c5ddaba4b85d09767874634114",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "41c18baee66134e6ef786eb075c1b6adb22432b0",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "59424dc0d0e044b2eb007686a4724ddd91d57db5",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "9b137f277cc3297044aabd950f589e505d30104c",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "674ff598148a28bae0b5372339de56f2abf0b1d1",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "7de3a75bbc8465d816336c74d50109e73501efab",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "57c278500fce3cd4e1c540700c0b05426a958393",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"lessThan": "4fba1713001195e59cfc001ff1f2837dab877efb",
"status": "affected",
"version": "cb736fdbb208eb3420f1a2eb2bfc024a6e9dcada",
"versionType": "git"
},
{
"status": "affected",
"version": "1731d90d8a558ecb20cdee0c2c001ae8e15c251d",
"versionType": "git"
},
{
"status": "affected",
"version": "b0580eadc19ff3a617a7d07cfaf2a985153c114e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/U1memcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. This commit fixes a couple of bad\ncalculations. This will fix the return value of copy_from_user and\ncopy_to_user in the faulting case. The behaviour of memcpy stays unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:32.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bf3dc3a2156f1c5ddaba4b85d09767874634114"
},
{
"url": "https://git.kernel.org/stable/c/41c18baee66134e6ef786eb075c1b6adb22432b0"
},
{
"url": "https://git.kernel.org/stable/c/59424dc0d0e044b2eb007686a4724ddd91d57db5"
},
{
"url": "https://git.kernel.org/stable/c/9b137f277cc3297044aabd950f589e505d30104c"
},
{
"url": "https://git.kernel.org/stable/c/674ff598148a28bae0b5372339de56f2abf0b1d1"
},
{
"url": "https://git.kernel.org/stable/c/7de3a75bbc8465d816336c74d50109e73501efab"
},
{
"url": "https://git.kernel.org/stable/c/57c278500fce3cd4e1c540700c0b05426a958393"
},
{
"url": "https://git.kernel.org/stable/c/4fba1713001195e59cfc001ff1f2837dab877efb"
}
],
"title": "sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40126",
"datePublished": "2025-11-12T10:23:20.460Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:32.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40020 (GCVE-0-2025-40020)
Vulnerability from cvelistv5
Published
2025-10-24 12:24
Modified
2025-10-24 12:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: peak_usb: fix shift-out-of-bounds issue
Explicitly uses a 64-bit constant when the number of bits used for its
shifting is 32 (which is the case for PC CAN FD interfaces supported by
this driver).
[mkl: update subject, apply manually]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d Version: bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/peak_usb/pcan_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "572c656802781cc57f4a3231eefa83547e75ed78",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "61b1dd4c614935169d12bdecc26906e37b508618",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "48822a59ecc47d353400d38b1941d3ae7591ffff",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "176c81cbf9c4e348610a421aad800087c0401f60",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "17edec1830e48c0becd61642d0e40bc753243b16",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "eb79ed970670344380e77d62f8188e8015648d94",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "394c58017e5f41043584c345106cae16a4613710",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
},
{
"lessThan": "c443be70aaee42c2d1d251e0329e0a69dd96ae54",
"status": "affected",
"version": "bb4785551f64e18b2c8bb15a3bd2b22f5ebf624d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/peak_usb/pcan_usb_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: peak_usb: fix shift-out-of-bounds issue\n\nExplicitly uses a 64-bit constant when the number of bits used for its\nshifting is 32 (which is the case for PC CAN FD interfaces supported by\nthis driver).\n\n[mkl: update subject, apply manually]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:24:56.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/572c656802781cc57f4a3231eefa83547e75ed78"
},
{
"url": "https://git.kernel.org/stable/c/61b1dd4c614935169d12bdecc26906e37b508618"
},
{
"url": "https://git.kernel.org/stable/c/48822a59ecc47d353400d38b1941d3ae7591ffff"
},
{
"url": "https://git.kernel.org/stable/c/176c81cbf9c4e348610a421aad800087c0401f60"
},
{
"url": "https://git.kernel.org/stable/c/17edec1830e48c0becd61642d0e40bc753243b16"
},
{
"url": "https://git.kernel.org/stable/c/eb79ed970670344380e77d62f8188e8015648d94"
},
{
"url": "https://git.kernel.org/stable/c/394c58017e5f41043584c345106cae16a4613710"
},
{
"url": "https://git.kernel.org/stable/c/c443be70aaee42c2d1d251e0329e0a69dd96ae54"
}
],
"title": "can: peak_usb: fix shift-out-of-bounds issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40020",
"datePublished": "2025-10-24T12:24:56.311Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-24T12:24:56.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40321 (GCVE-0-2025-40321)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2025-12-08 00:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
Currently, whenever there is a need to transmit an Action frame,
the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to
firmware. The P2P interfaces were available when wpa_supplicant is managing
the wlan interface.
However, the P2P interfaces are not created/initialized when only hostapd
is managing the wlan interface. And if hostapd receives an ANQP Query REQ
Action frame even from an un-associated STA, the brcmfmac driver tries
to use an uninitialized P2P vif pointer for sending the IOVAR to firmware.
This NULL pointer dereferencing triggers a driver crash.
[ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000000
[...]
[ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)
[...]
[ 1417.075653] Call trace:
[ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
[ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]
[ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]
[ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]
[ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158
[ 1417.076302] genl_rcv_msg+0x220/0x2a0
[ 1417.076317] netlink_rcv_skb+0x68/0x140
[ 1417.076330] genl_rcv+0x40/0x60
[ 1417.076343] netlink_unicast+0x330/0x3b8
[ 1417.076357] netlink_sendmsg+0x19c/0x3f8
[ 1417.076370] __sock_sendmsg+0x64/0xc0
[ 1417.076391] ____sys_sendmsg+0x268/0x2a0
[ 1417.076408] ___sys_sendmsg+0xb8/0x118
[ 1417.076427] __sys_sendmsg+0x90/0xf8
[ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40
[ 1417.076465] invoke_syscall+0x50/0x120
[ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0
[ 1417.076506] do_el0_svc+0x24/0x38
[ 1417.076525] el0_svc+0x30/0x100
[ 1417.076548] el0t_64_sync_handler+0x100/0x130
[ 1417.076569] el0t_64_sync+0x190/0x198
[ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Fix this, by always using the vif corresponding to the wdev on which the
Action frame Transmission request was initiated by the userspace. This way,
even if P2P vif is not available, the IOVAR is sent to firmware on AP vif
and the ANQP Query RESP Action frame is transmitted without crashing the
driver.
Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev()
to brcmf_p2p_attach(). Because the former function would not get executed
when only hostapd is managing wlan interface, and it is not safe to do
reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior
init_completion().
And in the brcmf_p2p_tx_action_frame() function, the condition check for
P2P Presence response frame is not needed, since the wpa_supplicant is
properly sending the P2P Presense Response frame on the P2P-GO vif instead
of the P2P-Device vif.
[Cc stable]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab Version: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab Version: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab Version: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab Version: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab Version: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab Version: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab Version: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c863b9c7b4e9af0b7931cb791ec91971a50f1a25",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "e1fc9afcce9139791260f962541282d47fbb508d",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "55f60a72a178909ece4e32987e4c642ba57e1cf4",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "c2b0f8d3e7358c33d90f0e62765d474f25f26a45",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "64e3175d1c8a3bea02032e7c9d1befd5f43786fa",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "a6eed58249e7d60f856900e682992300f770f64b",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "3776c685ebe5f43e9060af06872661de55e80b9a",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode\n\nCurrently, whenever there is a need to transmit an Action frame,\nthe brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to\nfirmware. The P2P interfaces were available when wpa_supplicant is managing\nthe wlan interface.\n\nHowever, the P2P interfaces are not created/initialized when only hostapd\nis managing the wlan interface. And if hostapd receives an ANQP Query REQ\nAction frame even from an un-associated STA, the brcmfmac driver tries\nto use an uninitialized P2P vif pointer for sending the IOVAR to firmware.\nThis NULL pointer dereferencing triggers a driver crash.\n\n [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000000\n [...]\n [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)\n [...]\n [ 1417.075653] Call trace:\n [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]\n [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]\n [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]\n [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]\n [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158\n [ 1417.076302] genl_rcv_msg+0x220/0x2a0\n [ 1417.076317] netlink_rcv_skb+0x68/0x140\n [ 1417.076330] genl_rcv+0x40/0x60\n [ 1417.076343] netlink_unicast+0x330/0x3b8\n [ 1417.076357] netlink_sendmsg+0x19c/0x3f8\n [ 1417.076370] __sock_sendmsg+0x64/0xc0\n [ 1417.076391] ____sys_sendmsg+0x268/0x2a0\n [ 1417.076408] ___sys_sendmsg+0xb8/0x118\n [ 1417.076427] __sys_sendmsg+0x90/0xf8\n [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40\n [ 1417.076465] invoke_syscall+0x50/0x120\n [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0\n [ 1417.076506] do_el0_svc+0x24/0x38\n [ 1417.076525] el0_svc+0x30/0x100\n [ 1417.076548] el0t_64_sync_handler+0x100/0x130\n [ 1417.076569] el0t_64_sync+0x190/0x198\n [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)\n\nFix this, by always using the vif corresponding to the wdev on which the\nAction frame Transmission request was initiated by the userspace. This way,\neven if P2P vif is not available, the IOVAR is sent to firmware on AP vif\nand the ANQP Query RESP Action frame is transmitted without crashing the\ndriver.\n\nMove init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev()\nto brcmf_p2p_attach(). Because the former function would not get executed\nwhen only hostapd is managing wlan interface, and it is not safe to do\nreinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior\ninit_completion().\n\nAnd in the brcmf_p2p_tx_action_frame() function, the condition check for\nP2P Presence response frame is not needed, since the wpa_supplicant is\nproperly sending the P2P Presense Response frame on the P2P-GO vif instead\nof the P2P-Device vif.\n\n[Cc stable]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:48.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c863b9c7b4e9af0b7931cb791ec91971a50f1a25"
},
{
"url": "https://git.kernel.org/stable/c/e1fc9afcce9139791260f962541282d47fbb508d"
},
{
"url": "https://git.kernel.org/stable/c/55f60a72a178909ece4e32987e4c642ba57e1cf4"
},
{
"url": "https://git.kernel.org/stable/c/c2b0f8d3e7358c33d90f0e62765d474f25f26a45"
},
{
"url": "https://git.kernel.org/stable/c/64e3175d1c8a3bea02032e7c9d1befd5f43786fa"
},
{
"url": "https://git.kernel.org/stable/c/a6eed58249e7d60f856900e682992300f770f64b"
},
{
"url": "https://git.kernel.org/stable/c/dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a"
},
{
"url": "https://git.kernel.org/stable/c/3776c685ebe5f43e9060af06872661de55e80b9a"
}
],
"title": "wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40321",
"datePublished": "2025-12-08T00:46:48.724Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:48.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68176 (GCVE-0-2025-68176)
Vulnerability from cvelistv5
Published
2025-12-16 13:42
Modified
2026-01-02 15:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: cadence: Check for the existence of cdns_pcie::ops before using it
cdns_pcie::ops might not be populated by all the Cadence glue drivers. This
is going to be true for the upcoming Sophgo platform which doesn't set the
ops.
Hence, add a check to prevent NULL pointer dereference.
[mani: reworded subject and description]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 40d957e6f9eb3a8a585007b8b730340c829afbdb Version: 40d957e6f9eb3a8a585007b8b730340c829afbdb Version: 40d957e6f9eb3a8a585007b8b730340c829afbdb Version: 40d957e6f9eb3a8a585007b8b730340c829afbdb Version: 40d957e6f9eb3a8a585007b8b730340c829afbdb Version: 40d957e6f9eb3a8a585007b8b730340c829afbdb Version: 40d957e6f9eb3a8a585007b8b730340c829afbdb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/cadence/pcie-cadence-host.c",
"drivers/pci/controller/cadence/pcie-cadence.c",
"drivers/pci/controller/cadence/pcie-cadence.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "0d0bb756f002810d249caee51f3f1c309f3cdab5",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "1810b2fd7375de88a74976dcd402b29088e479ed",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "953eb3796ef06b8ea3bf6bdde14156255bc75866",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "363448d069e29685ca37a118065121e486387af3",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/cadence/pcie-cadence-host.c",
"drivers/pci/controller/cadence/pcie-cadence.c",
"drivers/pci/controller/cadence/pcie-cadence.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: cadence: Check for the existence of cdns_pcie::ops before using it\n\ncdns_pcie::ops might not be populated by all the Cadence glue drivers. This\nis going to be true for the upcoming Sophgo platform which doesn\u0027t set the\nops.\n\nHence, add a check to prevent NULL pointer dereference.\n\n[mani: reworded subject and description]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:04.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1"
},
{
"url": "https://git.kernel.org/stable/c/eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed"
},
{
"url": "https://git.kernel.org/stable/c/0d0bb756f002810d249caee51f3f1c309f3cdab5"
},
{
"url": "https://git.kernel.org/stable/c/1810b2fd7375de88a74976dcd402b29088e479ed"
},
{
"url": "https://git.kernel.org/stable/c/953eb3796ef06b8ea3bf6bdde14156255bc75866"
},
{
"url": "https://git.kernel.org/stable/c/363448d069e29685ca37a118065121e486387af3"
},
{
"url": "https://git.kernel.org/stable/c/49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09"
}
],
"title": "PCI: cadence: Check for the existence of cdns_pcie::ops before using it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68176",
"datePublished": "2025-12-16T13:42:55.616Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2026-01-02T15:34:04.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40055 (GCVE-0-2025-40055)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix double free in user_cluster_connect()
user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then
the error handling frees "lc" a second time. Set "lc" to NULL on this
path to avoid a double free.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 Version: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 Version: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 Version: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 Version: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 Version: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 Version: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 Version: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/stack_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "283333079d96c84baa91f0c62b5e0cbec246b7a2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "f992bc72f681c32a682d474a29c2135a64d4f4e5",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "827c8efa0d1afe817b90f3618afff552e88348d2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "bfe011297ddd2d0cd64752978baaa0c04cd20573",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "694d5b401036a614f8080085a9de6f86ff0742dc",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "892f41e12c8689130d552a9eb2b77bafd26484ab",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "8f45f089337d924db24397f55697cda0e6960516",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/stack_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix double free in user_cluster_connect()\n\nuser_cluster_disconnect() frees \"conn-\u003ecc_private\" which is \"lc\" but then\nthe error handling frees \"lc\" a second time. Set \"lc\" to NULL on this\npath to avoid a double free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:03.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/283333079d96c84baa91f0c62b5e0cbec246b7a2"
},
{
"url": "https://git.kernel.org/stable/c/f992bc72f681c32a682d474a29c2135a64d4f4e5"
},
{
"url": "https://git.kernel.org/stable/c/827c8efa0d1afe817b90f3618afff552e88348d2"
},
{
"url": "https://git.kernel.org/stable/c/bfe011297ddd2d0cd64752978baaa0c04cd20573"
},
{
"url": "https://git.kernel.org/stable/c/7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2"
},
{
"url": "https://git.kernel.org/stable/c/694d5b401036a614f8080085a9de6f86ff0742dc"
},
{
"url": "https://git.kernel.org/stable/c/892f41e12c8689130d552a9eb2b77bafd26484ab"
},
{
"url": "https://git.kernel.org/stable/c/8f45f089337d924db24397f55697cda0e6960516"
}
],
"title": "ocfs2: fix double free in user_cluster_connect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40055",
"datePublished": "2025-10-28T11:48:29.665Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:17:03.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68758 (GCVE-0-2025-68758)
Vulnerability from cvelistv5
Published
2026-01-05 09:32
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
backlight: led-bl: Add devlink to supplier LEDs
LED Backlight is a consumer of one or multiple LED class devices, but
devlink is currently unable to create correct supplier-producer links when
the supplier is a class device. It creates instead a link where the
supplier is the parent of the expected device.
One consequence is that removal order is not correctly enforced.
Issues happen for example with the following sections in a device tree
overlay:
// An LED driver chip
pca9632@62 {
compatible = "nxp,pca9632";
reg = <0x62>;
// ...
addon_led_pwm: led-pwm@3 {
reg = <3>;
label = "addon:led:pwm";
};
};
backlight-addon {
compatible = "led-backlight";
leds = <&addon_led_pwm>;
brightness-levels = <255>;
default-brightness-level = <255>;
};
In this example, the devlink should be created between the backlight-addon
(consumer) and the pca9632@62 (supplier). Instead it is created between the
backlight-addon (consumer) and the parent of the pca9632@62, which is
typically the I2C bus adapter.
On removal of the above overlay, the LED driver can be removed before the
backlight device, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
Call trace:
led_put+0xe0/0x140
devm_led_release+0x6c/0x98
Another way to reproduce the bug without any device tree overlays is
unbinding the LED class device (pca9632@62) before unbinding the consumer
(backlight-addon):
echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind
echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind
Fix by adding a devlink between the consuming led-backlight device and the
supplying LED device, as other drivers and subsystems do as well.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ae232e45acf9621f2c96b41ca3af006ac7552c33 Version: ae232e45acf9621f2c96b41ca3af006ac7552c33 Version: ae232e45acf9621f2c96b41ca3af006ac7552c33 Version: ae232e45acf9621f2c96b41ca3af006ac7552c33 Version: ae232e45acf9621f2c96b41ca3af006ac7552c33 Version: ae232e45acf9621f2c96b41ca3af006ac7552c33 Version: ae232e45acf9621f2c96b41ca3af006ac7552c33 Version: ae232e45acf9621f2c96b41ca3af006ac7552c33 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64739adf3eef063b8e2c72b7e919eac8c6480bf0",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "cd01a24b3e52d6777b49c917d841f125fe9eebd0",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "e06df738a9ad8417f1c4c7cd6992cda320e9e7ca",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "30cbe4b642745a9488a0f0d78be43afe69d7555c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "0e63ea4378489e09eb5e920c8a50c10caacf563a",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "08c9dc6b0f2c68e5e7c374ac4499e321e435d46c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "9341d6698f4cfdfc374fb6944158d111ebe16a9d",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led-bl: Add devlink to supplier LEDs\n\nLED Backlight is a consumer of one or multiple LED class devices, but\ndevlink is currently unable to create correct supplier-producer links when\nthe supplier is a class device. It creates instead a link where the\nsupplier is the parent of the expected device.\n\nOne consequence is that removal order is not correctly enforced.\n\nIssues happen for example with the following sections in a device tree\noverlay:\n\n // An LED driver chip\n pca9632@62 {\n compatible = \"nxp,pca9632\";\n reg = \u003c0x62\u003e;\n\n\t// ...\n\n addon_led_pwm: led-pwm@3 {\n reg = \u003c3\u003e;\n label = \"addon:led:pwm\";\n };\n };\n\n backlight-addon {\n compatible = \"led-backlight\";\n leds = \u003c\u0026addon_led_pwm\u003e;\n brightness-levels = \u003c255\u003e;\n default-brightness-level = \u003c255\u003e;\n };\n\nIn this example, the devlink should be created between the backlight-addon\n(consumer) and the pca9632@62 (supplier). Instead it is created between the\nbacklight-addon (consumer) and the parent of the pca9632@62, which is\ntypically the I2C bus adapter.\n\nOn removal of the above overlay, the LED driver can be removed before the\nbacklight device, resulting in:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n ...\n Call trace:\n led_put+0xe0/0x140\n devm_led_release+0x6c/0x98\n\nAnother way to reproduce the bug without any device tree overlays is\nunbinding the LED class device (pca9632@62) before unbinding the consumer\n(backlight-addon):\n\n echo 11-0062 \u003e/sys/bus/i2c/drivers/leds-pca963x/unbind\n echo ...backlight-dock \u003e/sys/bus/platform/drivers/led-backlight/unbind\n\nFix by adding a devlink between the consuming led-backlight device and the\nsupplying LED device, as other drivers and subsystems do as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:02.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64739adf3eef063b8e2c72b7e919eac8c6480bf0"
},
{
"url": "https://git.kernel.org/stable/c/cd01a24b3e52d6777b49c917d841f125fe9eebd0"
},
{
"url": "https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca"
},
{
"url": "https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c"
},
{
"url": "https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a"
},
{
"url": "https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9"
},
{
"url": "https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c"
},
{
"url": "https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d"
}
],
"title": "backlight: led-bl: Add devlink to supplier LEDs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68758",
"datePublished": "2026-01-05T09:32:31.399Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-02-09T08:33:02.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68810 (GCVE-0-2025-68810)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was
initially created with a guest_memfd binding, as KVM doesn't support
toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling
KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag.
Failure to reject the new memslot results in a use-after-free due to KVM
not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY
change is easy enough, and can/will be done as a hardening measure (in
anticipation of KVM supporting dirty logging on guest_memfd at some point),
but fixing the use-after-free would only address the immediate symptom.
==================================================================
BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]
Write of size 8 at addr ffff8881111ae908 by task repro/745
CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x60
print_report+0xcb/0x5c0
kasan_report+0xb4/0xe0
kvm_gmem_release+0x362/0x400 [kvm]
__fput+0x2fa/0x9d0
task_work_run+0x12c/0x200
do_exit+0x6ae/0x2100
do_group_exit+0xa8/0x230
__x64_sys_exit_group+0x3a/0x50
x64_sys_call+0x737/0x740
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f581f2eac31
</TASK>
Allocated by task 745 on cpu 6 at 9.746971s:
kasan_save_stack+0x20/0x40
kasan_save_track+0x13/0x50
__kasan_kmalloc+0x77/0x90
kvm_set_memory_region.part.0+0x652/0x1110 [kvm]
kvm_vm_ioctl+0x14b0/0x3290 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 745 on cpu 6 at 9.747467s:
kasan_save_stack+0x20/0x40
kasan_save_track+0x13/0x50
__kasan_save_free_info+0x37/0x50
__kasan_slab_free+0x3b/0x60
kfree+0xf5/0x440
kvm_set_memslot+0x3c2/0x1160 [kvm]
kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]
kvm_vm_ioctl+0x14b0/0x3290 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89dbbe6ff323fc34659621a577fe0af913f47386",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
},
{
"lessThan": "cb51bef465d8ec60a968507330e01020e35dc127",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
},
{
"lessThan": "9935df5333aa503a18de5071f53762b65c783c4c",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot\n\nReject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was\ninitially created with a guest_memfd binding, as KVM doesn\u0027t support\ntoggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling\nKVM_MEM_GUEST_MEMFD, but doesn\u0027t prevent clearing the flag.\n\nFailure to reject the new memslot results in a use-after-free due to KVM\nnot unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY\nchange is easy enough, and can/will be done as a hardening measure (in\nanticipation of KVM supporting dirty logging on guest_memfd at some point),\nbut fixing the use-after-free would only address the immediate symptom.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]\n Write of size 8 at addr ffff8881111ae908 by task repro/745\n\n CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x60\n print_report+0xcb/0x5c0\n kasan_report+0xb4/0xe0\n kvm_gmem_release+0x362/0x400 [kvm]\n __fput+0x2fa/0x9d0\n task_work_run+0x12c/0x200\n do_exit+0x6ae/0x2100\n do_group_exit+0xa8/0x230\n __x64_sys_exit_group+0x3a/0x50\n x64_sys_call+0x737/0x740\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f581f2eac31\n \u003c/TASK\u003e\n\n Allocated by task 745 on cpu 6 at 9.746971s:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x13/0x50\n __kasan_kmalloc+0x77/0x90\n kvm_set_memory_region.part.0+0x652/0x1110 [kvm]\n kvm_vm_ioctl+0x14b0/0x3290 [kvm]\n __x64_sys_ioctl+0x129/0x1a0\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 745 on cpu 6 at 9.747467s:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x13/0x50\n __kasan_save_free_info+0x37/0x50\n __kasan_slab_free+0x3b/0x60\n kfree+0xf5/0x440\n kvm_set_memslot+0x3c2/0x1160 [kvm]\n kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]\n kvm_vm_ioctl+0x14b0/0x3290 [kvm]\n __x64_sys_ioctl+0x129/0x1a0\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:59.332Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89dbbe6ff323fc34659621a577fe0af913f47386"
},
{
"url": "https://git.kernel.org/stable/c/cb51bef465d8ec60a968507330e01020e35dc127"
},
{
"url": "https://git.kernel.org/stable/c/9935df5333aa503a18de5071f53762b65c783c4c"
}
],
"title": "KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68810",
"datePublished": "2026-01-13T15:29:16.475Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:33:59.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23096 (GCVE-0-2026-23096)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: fix cdev handling in the cleanup path
When cdev_device_add fails, it internally releases the cdev memory,
and if cdev_device_del is then executed, it will cause a hang error.
To fix it, we check the return value of cdev_device_add() and clear
uacce->cdev to avoid calling cdev_device_del in the uacce_remove.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 Version: 015d239ac0142ad0e26567fd890ef8d171f13709 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c94c7188d325bc5137d447d67a2f18f7d4f2f4a3",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "1bc3e51367c420e6db31f41efa874c7a8e12194a",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "819d647406200d0e83e56fd2df8f451b11290559",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "d9031575a2f8aabc53af3025dd79af313a2e046b",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "98d67a1bd6caddd0a8b8c82a0b925742cf500936",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "bd2393ed7712513e7e2dbcb6e21464a67ff9e702",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "a3bece3678f6c88db1f44c602b2a63e84b4040ac",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix cdev handling in the cleanup path\n\nWhen cdev_device_add fails, it internally releases the cdev memory,\nand if cdev_device_del is then executed, it will cause a hang error.\nTo fix it, we check the return value of cdev_device_add() and clear\nuacce-\u003ecdev to avoid calling cdev_device_del in the uacce_remove."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:36.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c94c7188d325bc5137d447d67a2f18f7d4f2f4a3"
},
{
"url": "https://git.kernel.org/stable/c/1bc3e51367c420e6db31f41efa874c7a8e12194a"
},
{
"url": "https://git.kernel.org/stable/c/819d647406200d0e83e56fd2df8f451b11290559"
},
{
"url": "https://git.kernel.org/stable/c/d9031575a2f8aabc53af3025dd79af313a2e046b"
},
{
"url": "https://git.kernel.org/stable/c/98d67a1bd6caddd0a8b8c82a0b925742cf500936"
},
{
"url": "https://git.kernel.org/stable/c/bd2393ed7712513e7e2dbcb6e21464a67ff9e702"
},
{
"url": "https://git.kernel.org/stable/c/a3bece3678f6c88db1f44c602b2a63e84b4040ac"
}
],
"title": "uacce: fix cdev handling in the cleanup path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23096",
"datePublished": "2026-02-04T16:08:18.785Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-02-09T08:38:36.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58011 (GCVE-0-2024-58011)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: int3472: Check for adev == NULL
Not all devices have an ACPI companion fwnode, so adev might be NULL. This
can e.g. (theoretically) happen when a user manually binds one of
the int3472 drivers to another i2c/platform device through sysfs.
Add a check for adev not being set and return -ENODEV in that case to
avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58011",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:30.268538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:05.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:26.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/int3472/discrete.c",
"drivers/platform/x86/intel/int3472/tps68470.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46263a0b687a044e645387a9c7692ccd693f09f1",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "4f8b210823cc2d1f9d967f089a6c00d025bb237f",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "f9c7cc44758f4930b41285a6d54afa8cbd9762b4",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "0a30353beca2693d30bde477024d755ffecea514",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "a808ecf878ad646ebc9c83d9fc4ce72fd9c49d3d",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/int3472/discrete.c",
"drivers/platform/x86/intel/int3472/tps68470.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: int3472: Check for adev == NULL\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL. This\ncan e.g. (theoretically) happen when a user manually binds one of\nthe int3472 drivers to another i2c/platform device through sysfs.\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-19T14:48:47.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46263a0b687a044e645387a9c7692ccd693f09f1"
},
{
"url": "https://git.kernel.org/stable/c/4f8b210823cc2d1f9d967f089a6c00d025bb237f"
},
{
"url": "https://git.kernel.org/stable/c/f9c7cc44758f4930b41285a6d54afa8cbd9762b4"
},
{
"url": "https://git.kernel.org/stable/c/0a30353beca2693d30bde477024d755ffecea514"
},
{
"url": "https://git.kernel.org/stable/c/a808ecf878ad646ebc9c83d9fc4ce72fd9c49d3d"
},
{
"url": "https://git.kernel.org/stable/c/cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c"
}
],
"title": "platform/x86: int3472: Check for adev == NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58011",
"datePublished": "2025-02-27T02:12:05.675Z",
"dateReserved": "2025-02-27T02:10:48.227Z",
"dateUpdated": "2025-11-03T19:33:26.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71188 (GCVE-0-2025-71188)
Vulnerability from cvelistv5
Published
2026-01-31 11:41
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e5f4ae84be7421010780984bdc121eac15997327 Version: e5f4ae84be7421010780984bdc121eac15997327 Version: e5f4ae84be7421010780984bdc121eac15997327 Version: e5f4ae84be7421010780984bdc121eac15997327 Version: e5f4ae84be7421010780984bdc121eac15997327 Version: e5f4ae84be7421010780984bdc121eac15997327 Version: e5f4ae84be7421010780984bdc121eac15997327 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/lpc18xx-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d396ebfb3049a2b5fac51d2c967db5114b685e8",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "499ddae78c4baa9b94df76b2d2eb6b150d15377f",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "adef147a8d8c3d767abf88ad2c381ffab2993086",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "9fba97baa520c9446df51a64708daf27c5a7ed32",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "992eb8055a6e5dbb808672d20d68e60d5a89b12b",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "1e47d80f6720f0224efd19bcf081d39637569c10",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
},
{
"lessThan": "d4d63059dee7e7cae0c4d9a532ed558bc90efb55",
"status": "affected",
"version": "e5f4ae84be7421010780984bdc121eac15997327",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/lpc18xx-dmamux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: lpc18xx-dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:12.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d396ebfb3049a2b5fac51d2c967db5114b685e8"
},
{
"url": "https://git.kernel.org/stable/c/499ddae78c4baa9b94df76b2d2eb6b150d15377f"
},
{
"url": "https://git.kernel.org/stable/c/adef147a8d8c3d767abf88ad2c381ffab2993086"
},
{
"url": "https://git.kernel.org/stable/c/9fba97baa520c9446df51a64708daf27c5a7ed32"
},
{
"url": "https://git.kernel.org/stable/c/992eb8055a6e5dbb808672d20d68e60d5a89b12b"
},
{
"url": "https://git.kernel.org/stable/c/1e47d80f6720f0224efd19bcf081d39637569c10"
},
{
"url": "https://git.kernel.org/stable/c/d4d63059dee7e7cae0c4d9a532ed558bc90efb55"
}
],
"title": "dmaengine: lpc18xx-dmamux: fix device leak on route allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71188",
"datePublished": "2026-01-31T11:41:59.624Z",
"dateReserved": "2026-01-31T11:36:51.188Z",
"dateUpdated": "2026-02-09T08:36:12.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68331 (GCVE-0-2025-68331)
Vulnerability from cvelistv5
Published
2025-12-22 16:12
Modified
2025-12-22 16:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
When a UAS device is unplugged during data transfer, there is
a probability of a system panic occurring. The root cause is
an access to an invalid memory address during URB callback handling.
Specifically, this happens when the dma_direct_unmap_sg() function
is called within the usb_hcd_unmap_urb_for_dma() interface, but the
sg->dma_address field is 0 and the sg data structure has already been
freed.
The SCSI driver sends transfer commands by invoking uas_queuecommand_lck()
in uas.c, using the uas_submit_urbs() function to submit requests to USB.
Within the uas_submit_urbs() implementation, three URBs (sense_urb,
data_urb, and cmd_urb) are sequentially submitted. Device removal may
occur at any point during uas_submit_urbs execution, which may result
in URB submission failure. However, some URBs might have been successfully
submitted before the failure, and uas_submit_urbs will return the -ENODEV
error code in this case. The current error handling directly calls
scsi_done(). In the SCSI driver, this eventually triggers scsi_complete()
to invoke scsi_end_request() for releasing the sgtable. The successfully
submitted URBs, when being unlinked to giveback, call
usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg
unmapping operations since the sg data structure has already been freed.
This patch modifies the error condition check in the uas_submit_urbs()
function. When a UAS device is removed but one or more URBs have already
been successfully submitted to USB, it avoids immediately invoking
scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully
submitted URBs is completed before devinfo->resetting being set, then
the scsi_done() function will be called within uas_try_complete() after
all pending URB operations are finalized. Otherwise, the scsi_done()
function will be called within uas_zap_pending(), which is executed after
usb_kill_anchored_urbs().
The error handling only takes effect when uas_queuecommand_lck() calls
uas_submit_urbs() and returns the error value -ENODEV . In this case,
the device is disconnected, and the flow proceeds to uas_disconnect(),
where uas_zap_pending() is invoked to call uas_try_complete().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: eb2a86ae8c544be0ab04aa8169390c0669bc7148 Version: eb2a86ae8c544be0ab04aa8169390c0669bc7148 Version: eb2a86ae8c544be0ab04aa8169390c0669bc7148 Version: eb2a86ae8c544be0ab04aa8169390c0669bc7148 Version: eb2a86ae8c544be0ab04aa8169390c0669bc7148 Version: eb2a86ae8c544be0ab04aa8169390c0669bc7148 Version: eb2a86ae8c544be0ab04aa8169390c0669bc7148 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/uas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6289fc489e94c9beb6be2b502ccc263663733d72",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "75f8e2643085db4f7e136fc6b368eb114dd80a64",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "e3a55221f4de080cb7a91ba10f01c4f708603f8d",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "2b90a8131c83f6f2be69397d2b7d14d217d95d2f",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "426edbfc88b22601ea34a441a469092e7b301c52",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "26d56a9fcb2014b99e654127960aa0a48a391e3c",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/uas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer\n\nWhen a UAS device is unplugged during data transfer, there is\na probability of a system panic occurring. The root cause is\nan access to an invalid memory address during URB callback handling.\nSpecifically, this happens when the dma_direct_unmap_sg() function\nis called within the usb_hcd_unmap_urb_for_dma() interface, but the\nsg-\u003edma_address field is 0 and the sg data structure has already been\nfreed.\n\nThe SCSI driver sends transfer commands by invoking uas_queuecommand_lck()\nin uas.c, using the uas_submit_urbs() function to submit requests to USB.\nWithin the uas_submit_urbs() implementation, three URBs (sense_urb,\ndata_urb, and cmd_urb) are sequentially submitted. Device removal may\noccur at any point during uas_submit_urbs execution, which may result\nin URB submission failure. However, some URBs might have been successfully\nsubmitted before the failure, and uas_submit_urbs will return the -ENODEV\nerror code in this case. The current error handling directly calls\nscsi_done(). In the SCSI driver, this eventually triggers scsi_complete()\nto invoke scsi_end_request() for releasing the sgtable. The successfully\nsubmitted URBs, when being unlinked to giveback, call\nusb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg\nunmapping operations since the sg data structure has already been freed.\n\nThis patch modifies the error condition check in the uas_submit_urbs()\nfunction. When a UAS device is removed but one or more URBs have already\nbeen successfully submitted to USB, it avoids immediately invoking\nscsi_done() and save the cmnd to devinfo-\u003ecmnd array. If the successfully\nsubmitted URBs is completed before devinfo-\u003eresetting being set, then\nthe scsi_done() function will be called within uas_try_complete() after\nall pending URB operations are finalized. Otherwise, the scsi_done()\nfunction will be called within uas_zap_pending(), which is executed after\nusb_kill_anchored_urbs().\n\nThe error handling only takes effect when uas_queuecommand_lck() calls\nuas_submit_urbs() and returns the error value -ENODEV . In this case,\nthe device is disconnected, and the flow proceeds to uas_disconnect(),\nwhere uas_zap_pending() is invoked to call uas_try_complete()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:09.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72"
},
{
"url": "https://git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17"
},
{
"url": "https://git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64"
},
{
"url": "https://git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8d"
},
{
"url": "https://git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2f"
},
{
"url": "https://git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52"
},
{
"url": "https://git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3c"
}
],
"title": "usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68331",
"datePublished": "2025-12-22T16:12:24.607Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:09.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40183 (GCVE-0-2025-40183)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
Cilium has a BPF egress gateway feature which forces outgoing K8s Pod
traffic to pass through dedicated egress gateways which then SNAT the
traffic in order to interact with stable IPs outside the cluster.
The traffic is directed to the gateway via vxlan tunnel in collect md
mode. A recent BPF change utilized the bpf_redirect_neigh() helper to
forward packets after the arrival and decap on vxlan, which turned out
over time that the kmalloc-256 slab usage in kernel was ever-increasing.
The issue was that vxlan allocates the metadata_dst object and attaches
it through a fake dst entry to the skb. The latter was never released
though given bpf_redirect_neigh() was merely setting the new dst entry
via skb_dst_set() without dropping an existing one first.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fba965a9aac0fa3cbd8138436a37af9ab466d79",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "057764172fcc6ee2ccb6c41351a55a9f054dc8fd",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "2e67c2037382abb56497bb9d7b7e10be04eb5598",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "b6bfe44b6dbb14a31d86c475cdc9c7689534fb09",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "f36a305d30f557306d87c787ddffe094ac5dac89",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "7404ce888a45eb7da0508b7cbbe6f2e95302eeb8",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "23f3770e1a53e6c7a553135011f547209e141e72",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}\n\nCilium has a BPF egress gateway feature which forces outgoing K8s Pod\ntraffic to pass through dedicated egress gateways which then SNAT the\ntraffic in order to interact with stable IPs outside the cluster.\n\nThe traffic is directed to the gateway via vxlan tunnel in collect md\nmode. A recent BPF change utilized the bpf_redirect_neigh() helper to\nforward packets after the arrival and decap on vxlan, which turned out\nover time that the kmalloc-256 slab usage in kernel was ever-increasing.\n\nThe issue was that vxlan allocates the metadata_dst object and attaches\nit through a fake dst entry to the skb. The latter was never released\nthough given bpf_redirect_neigh() was merely setting the new dst entry\nvia skb_dst_set() without dropping an existing one first."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:40.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fba965a9aac0fa3cbd8138436a37af9ab466d79"
},
{
"url": "https://git.kernel.org/stable/c/057764172fcc6ee2ccb6c41351a55a9f054dc8fd"
},
{
"url": "https://git.kernel.org/stable/c/2e67c2037382abb56497bb9d7b7e10be04eb5598"
},
{
"url": "https://git.kernel.org/stable/c/b6bfe44b6dbb14a31d86c475cdc9c7689534fb09"
},
{
"url": "https://git.kernel.org/stable/c/f36a305d30f557306d87c787ddffe094ac5dac89"
},
{
"url": "https://git.kernel.org/stable/c/7404ce888a45eb7da0508b7cbbe6f2e95302eeb8"
},
{
"url": "https://git.kernel.org/stable/c/23f3770e1a53e6c7a553135011f547209e141e72"
}
],
"title": "bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40183",
"datePublished": "2025-11-12T21:56:27.429Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:40.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71067 (GCVE-0-2025-71067)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-03-25 10:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs: set dummy blocksize to read boot_block when mounting
When mounting, sb->s_blocksize is used to read the boot_block without
being defined or validated. Set a dummy blocksize before attempting to
read the boot_block.
The issue can be triggered with the following syz reproducer:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0)
r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)
ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)
mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00',
&(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0)
syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)
Here, the ioctl sets the bdev block size to 16384. During mount,
get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),
but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves
sb->s_blocksize at zero.
Later, ntfs_init_from_boot() attempts to read the boot_block while
sb->s_blocksize is still zero, which triggers the bug.
[almaz.alexandrovich@paragon-software.com: changed comment style, added
return value handling]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "44a38eb4f7876513db5a1bccde74de9bc4389d43",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "4fff9a625da958a33191c8553a03283786f9f417",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "d1693a7d5a38acf6424235a6070bcf5b186a360d",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: set dummy blocksize to read boot_block when mounting\n\nWhen mounting, sb-\u003es_blocksize is used to read the boot_block without\nbeing defined or validated. Set a dummy blocksize before attempting to\nread the boot_block.\n\nThe issue can be triggered with the following syz reproducer:\n\n mkdirat(0xffffffffffffff9c, \u0026(0x7f0000000080)=\u0027./file1\\x00\u0027, 0x0)\n r4 = openat$nullb(0xffffffffffffff9c, \u0026(0x7f0000000040), 0x121403, 0x0)\n ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, \u0026(0x7f0000000980)=0x4000)\n mount(\u0026(0x7f0000000140)=@nullb, \u0026(0x7f0000000040)=\u0027./cgroup\\x00\u0027,\n \u0026(0x7f0000000000)=\u0027ntfs3\\x00\u0027, 0x2208004, 0x0)\n syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)\n\nHere, the ioctl sets the bdev block size to 16384. During mount,\nget_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),\nbut since block_size(bdev) \u003e PAGE_SIZE, sb_set_blocksize() leaves\nsb-\u003es_blocksize at zero.\n\nLater, ntfs_init_from_boot() attempts to read the boot_block while\nsb-\u003es_blocksize is still zero, which triggers the bug.\n\n[almaz.alexandrovich@paragon-software.com: changed comment style, added\nreturn value handling]"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:00.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5"
},
{
"url": "https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43"
},
{
"url": "https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417"
},
{
"url": "https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a"
},
{
"url": "https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d"
}
],
"title": "ntfs: set dummy blocksize to read boot_block when mounting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71067",
"datePublished": "2026-01-13T15:31:22.585Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-03-25T10:20:00.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68220 (GCVE-0-2025-68220)
Vulnerability from cvelistv5
Published
2025-12-16 13:57
Modified
2026-01-02 15:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error
Make knav_dma_open_channel consistently return NULL on error instead
of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h
returns NULL when the driver is disabled, but the driver
implementation does not even return NULL or ERR_PTR on failure,
causing inconsistency in the users. This results in a crash in
netcp_free_navigator_resources as followed (trimmed):
Unhandled fault: alignment exception (0x221) at 0xfffffff2
[fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000
Internal error: : 221 [#1] SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE
Hardware name: Keystone
PC is at knav_dma_close_channel+0x30/0x19c
LR is at netcp_free_navigator_resources+0x2c/0x28c
[... TRIM...]
Call trace:
knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c
netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c
netcp_ndo_open from __dev_open+0x114/0x29c
__dev_open from __dev_change_flags+0x190/0x208
__dev_change_flags from netif_change_flags+0x1c/0x58
netif_change_flags from dev_change_flags+0x38/0xa0
dev_change_flags from ip_auto_config+0x2c4/0x11f0
ip_auto_config from do_one_initcall+0x58/0x200
do_one_initcall from kernel_init_freeable+0x1cc/0x238
kernel_init_freeable from kernel_init+0x1c/0x12c
kernel_init from ret_from_fork+0x14/0x38
[... TRIM...]
Standardize the error handling by making the function return NULL on
all error conditions. The API is used in just the netcp_core.c so the
impact is limited.
Note, this change, in effect reverts commit 5b6cb43b4d62 ("net:
ethernet: ti: netcp_core: return error while dma channel open issue"),
but provides a less error prone implementation.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 88139ed030583557751e279968e13e892ae10825 Version: 88139ed030583557751e279968e13e892ae10825 Version: 88139ed030583557751e279968e13e892ae10825 Version: 88139ed030583557751e279968e13e892ae10825 Version: 88139ed030583557751e279968e13e892ae10825 Version: 88139ed030583557751e279968e13e892ae10825 Version: 88139ed030583557751e279968e13e892ae10825 Version: 88139ed030583557751e279968e13e892ae10825 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/netcp_core.c",
"drivers/soc/ti/knav_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af6b10a13fc0aee37df4a8292414cc055c263fa3",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "8427218ecbd7f8559c37972e66cb0fa06e82353b",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "3afeb909c3e2e0eb19b1e20506196e5f2d9c2259",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "2572c358ee434ce4b994472cceeb4043cbff5bc5",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "952637c5b9be64539cd0e13ef88db71a1df46373",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "fbb53727ca789a8d27052aab4b77ca9e2a0fae2b",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "f9608637ecc165d7d6341df105aee44691461fb9",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
},
{
"lessThan": "90a88306eb874fe4bbdd860e6c9787f5bbc588b5",
"status": "affected",
"version": "88139ed030583557751e279968e13e892ae10825",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/netcp_core.c",
"drivers/soc/ti/knav_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error\n\nMake knav_dma_open_channel consistently return NULL on error instead\nof ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h\nreturns NULL when the driver is disabled, but the driver\nimplementation does not even return NULL or ERR_PTR on failure,\ncausing inconsistency in the users. This results in a crash in\nnetcp_free_navigator_resources as followed (trimmed):\n\nUnhandled fault: alignment exception (0x221) at 0xfffffff2\n[fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000\nInternal error: : 221 [#1] SMP ARM\nModules linked in:\nCPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE\nHardware name: Keystone\nPC is at knav_dma_close_channel+0x30/0x19c\nLR is at netcp_free_navigator_resources+0x2c/0x28c\n\n[... TRIM...]\n\nCall trace:\n knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c\n netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c\n netcp_ndo_open from __dev_open+0x114/0x29c\n __dev_open from __dev_change_flags+0x190/0x208\n __dev_change_flags from netif_change_flags+0x1c/0x58\n netif_change_flags from dev_change_flags+0x38/0xa0\n dev_change_flags from ip_auto_config+0x2c4/0x11f0\n ip_auto_config from do_one_initcall+0x58/0x200\n do_one_initcall from kernel_init_freeable+0x1cc/0x238\n kernel_init_freeable from kernel_init+0x1c/0x12c\n kernel_init from ret_from_fork+0x14/0x38\n[... TRIM...]\n\nStandardize the error handling by making the function return NULL on\nall error conditions. The API is used in just the netcp_core.c so the\nimpact is limited.\n\nNote, this change, in effect reverts commit 5b6cb43b4d62 (\"net:\nethernet: ti: netcp_core: return error while dma channel open issue\"),\nbut provides a less error prone implementation."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:25.945Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af6b10a13fc0aee37df4a8292414cc055c263fa3"
},
{
"url": "https://git.kernel.org/stable/c/8427218ecbd7f8559c37972e66cb0fa06e82353b"
},
{
"url": "https://git.kernel.org/stable/c/3afeb909c3e2e0eb19b1e20506196e5f2d9c2259"
},
{
"url": "https://git.kernel.org/stable/c/2572c358ee434ce4b994472cceeb4043cbff5bc5"
},
{
"url": "https://git.kernel.org/stable/c/952637c5b9be64539cd0e13ef88db71a1df46373"
},
{
"url": "https://git.kernel.org/stable/c/fbb53727ca789a8d27052aab4b77ca9e2a0fae2b"
},
{
"url": "https://git.kernel.org/stable/c/f9608637ecc165d7d6341df105aee44691461fb9"
},
{
"url": "https://git.kernel.org/stable/c/90a88306eb874fe4bbdd860e6c9787f5bbc588b5"
}
],
"title": "net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68220",
"datePublished": "2025-12-16T13:57:14.142Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2026-01-02T15:34:25.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68365 (GCVE-0-2025-68365)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Initialize allocated memory before use
KMSAN reports: Multiple uninitialized values detected:
- KMSAN: uninit-value in ntfs_read_hdr (3)
- KMSAN: uninit-value in bcmp (3)
Memory is allocated by __getname(), which is a wrapper for
kmem_cache_alloc(). This memory is used before being properly
cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to
properly allocate and clear memory before use.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdf38063fd15f2fc7361dc0b5d3c259741eab835",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "a58e29849aef8d26554a982989a2190b49aaf8ed",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "7d52c592cf53f5bb7163967edc01d2d7d80de44a",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "f7728057220cabd720e27e46097edad48e5bd728",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "192e8ce302f14ac66259231dd10cede19858d742",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "a8a3ca23bbd9d849308a7921a049330dc6c91398",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Initialize allocated memory before use\n\nKMSAN reports: Multiple uninitialized values detected:\n\n- KMSAN: uninit-value in ntfs_read_hdr (3)\n- KMSAN: uninit-value in bcmp (3)\n\nMemory is allocated by __getname(), which is a wrapper for\nkmem_cache_alloc(). This memory is used before being properly\ncleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to\nproperly allocate and clear memory before use."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:01.417Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdf38063fd15f2fc7361dc0b5d3c259741eab835"
},
{
"url": "https://git.kernel.org/stable/c/a58e29849aef8d26554a982989a2190b49aaf8ed"
},
{
"url": "https://git.kernel.org/stable/c/7d52c592cf53f5bb7163967edc01d2d7d80de44a"
},
{
"url": "https://git.kernel.org/stable/c/f7728057220cabd720e27e46097edad48e5bd728"
},
{
"url": "https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742"
},
{
"url": "https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398"
}
],
"title": "fs/ntfs3: Initialize allocated memory before use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68365",
"datePublished": "2025-12-24T10:32:52.728Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-02-09T08:32:01.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68772 (GCVE-0-2025-68772)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating compression context during writeback
Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857
Call Trace:
<TASK>
f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]
__f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]
f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317
do_writepages+0x38e/0x640 mm/page-writeback.c:2634
filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
__filemap_fdatawrite_range mm/filemap.c:419 [inline]
file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794
f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294
generic_write_sync include/linux/fs.h:3043 [inline]
f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7e9/0xe00 fs/read_write.c:686
ksys_write+0x19d/0x2d0 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The bug was triggered w/ below race condition:
fsync setattr ioctl
- f2fs_do_sync_file
- file_write_and_wait_range
- f2fs_write_cache_pages
: inode is non-compressed
: cc.cluster_size =
F2FS_I(inode)->i_cluster_size = 0
- tag_pages_for_writeback
- f2fs_setattr
- truncate_setsize
- f2fs_truncate
- f2fs_fileattr_set
- f2fs_setflags_common
- set_compress_context
: F2FS_I(inode)->i_cluster_size = 4
: set_inode_flag(inode, FI_COMPRESSED_FILE)
- f2fs_compressed_file
: return true
- f2fs_all_cluster_page_ready
: "pgidx % cc->cluster_size" trigger dividing 0 issue
Let's change as below to fix this issue:
- introduce a new atomic type variable .writeback in structure f2fs_inode_info
to track the number of threads which calling f2fs_write_cache_pages().
- use .i_sem lock to protect .writeback update.
- check .writeback before update compression context in f2fs_setflags_common()
to avoid race w/ ->writepages.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad26bfbc085c939b5dca77ff8c14798c06d151c4",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "0bf1a02494c7eb5bd43445de4c83c8592e02c4bf",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "0df713a9c082a474c8b0bcf670edc8e98461d5a0",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating compression context during writeback\n\nBai, Shuangpeng \u003csjb7183@psu.edu\u003e reported a bug as below:\n\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857\nCall Trace:\n \u003cTASK\u003e\n f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]\n f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317\n do_writepages+0x38e/0x640 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc mm/filemap.c:386 [inline]\n __filemap_fdatawrite_range mm/filemap.c:419 [inline]\n file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794\n f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294\n generic_write_sync include/linux/fs.h:3043 [inline]\n f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x7e9/0xe00 fs/read_write.c:686\n ksys_write+0x19d/0x2d0 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe bug was triggered w/ below race condition:\n\nfsync\t\t\t\tsetattr\t\t\tioctl\n- f2fs_do_sync_file\n - file_write_and_wait_range\n - f2fs_write_cache_pages\n : inode is non-compressed\n : cc.cluster_size =\n F2FS_I(inode)-\u003ei_cluster_size = 0\n - tag_pages_for_writeback\n\t\t\t\t- f2fs_setattr\n\t\t\t\t - truncate_setsize\n\t\t\t\t - f2fs_truncate\n\t\t\t\t\t\t\t- f2fs_fileattr_set\n\t\t\t\t\t\t\t - f2fs_setflags_common\n\t\t\t\t\t\t\t - set_compress_context\n\t\t\t\t\t\t\t : F2FS_I(inode)-\u003ei_cluster_size = 4\n\t\t\t\t\t\t\t : set_inode_flag(inode, FI_COMPRESSED_FILE)\n - f2fs_compressed_file\n : return true\n - f2fs_all_cluster_page_ready\n : \"pgidx % cc-\u003ecluster_size\" trigger dividing 0 issue\n\nLet\u0027s change as below to fix this issue:\n- introduce a new atomic type variable .writeback in structure f2fs_inode_info\nto track the number of threads which calling f2fs_write_cache_pages().\n- use .i_sem lock to protect .writeback update.\n- check .writeback before update compression context in f2fs_setflags_common()\nto avoid race w/ -\u003ewritepages."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:17.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4"
},
{
"url": "https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0"
},
{
"url": "https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf"
},
{
"url": "https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0"
},
{
"url": "https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76"
}
],
"title": "f2fs: fix to avoid updating compression context during writeback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68772",
"datePublished": "2026-01-13T15:28:49.924Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:17.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39949 (GCVE-0-2025-39949)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
qed: Don't collect too many protection override GRC elements
In the protection override dump path, the firmware can return far too
many GRC elements, resulting in attempting to write past the end of the
previously-kmalloc'ed dump buffer.
This will result in a kernel panic with reason:
BUG: unable to handle kernel paging request at ADDRESS
where "ADDRESS" is just past the end of the protection override dump
buffer. The start address of the buffer is:
p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf
and the size of the buffer is buf_size in the same data structure.
The panic can be arrived at from either the qede Ethernet driver path:
[exception RIP: qed_grc_dump_addr_range+0x108]
qed_protection_override_dump at ffffffffc02662ed [qed]
qed_dbg_protection_override_dump at ffffffffc0267792 [qed]
qed_dbg_feature at ffffffffc026aa8f [qed]
qed_dbg_all_data at ffffffffc026b211 [qed]
qed_fw_fatal_reporter_dump at ffffffffc027298a [qed]
devlink_health_do_dump at ffffffff82497f61
devlink_health_report at ffffffff8249cf29
qed_report_fatal_error at ffffffffc0272baf [qed]
qede_sp_task at ffffffffc045ed32 [qede]
process_one_work at ffffffff81d19783
or the qedf storage driver path:
[exception RIP: qed_grc_dump_addr_range+0x108]
qed_protection_override_dump at ffffffffc068b2ed [qed]
qed_dbg_protection_override_dump at ffffffffc068c792 [qed]
qed_dbg_feature at ffffffffc068fa8f [qed]
qed_dbg_all_data at ffffffffc0690211 [qed]
qed_fw_fatal_reporter_dump at ffffffffc069798a [qed]
devlink_health_do_dump at ffffffff8aa95e51
devlink_health_report at ffffffff8aa9ae19
qed_report_fatal_error at ffffffffc0697baf [qed]
qed_hw_err_notify at ffffffffc06d32d7 [qed]
qed_spq_post at ffffffffc06b1011 [qed]
qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed]
qedf_cleanup_fcport at ffffffffc05e7597 [qedf]
qedf_rport_event_handler at ffffffffc05e7bf7 [qedf]
fc_rport_work at ffffffffc02da715 [libfc]
process_one_work at ffffffff8a319663
Resolve this by clamping the firmware's return value to the maximum
number of legal elements the firmware should return.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f Version: d52c89f120de849575f6b2e5948038f2be12ce6f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qed/qed_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25672c620421fa2105703a94a29a03487245e6d6",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "8141910869596b7a3a5d9b46107da2191d523f82",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "ea53e6a47e148b490b1c652fc65d2de5a086df76",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "660b2a8f5a306a28c7efc1b4990ecc4912a68f87",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
},
{
"lessThan": "56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37",
"status": "affected",
"version": "d52c89f120de849575f6b2e5948038f2be12ce6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qed/qed_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nqed: Don\u0027t collect too many protection override GRC elements\n\nIn the protection override dump path, the firmware can return far too\nmany GRC elements, resulting in attempting to write past the end of the\npreviously-kmalloc\u0027ed dump buffer.\n\nThis will result in a kernel panic with reason:\n\n BUG: unable to handle kernel paging request at ADDRESS\n\nwhere \"ADDRESS\" is just past the end of the protection override dump\nbuffer. The start address of the buffer is:\n p_hwfn-\u003ecdev-\u003edbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf\nand the size of the buffer is buf_size in the same data structure.\n\nThe panic can be arrived at from either the qede Ethernet driver path:\n\n [exception RIP: qed_grc_dump_addr_range+0x108]\n qed_protection_override_dump at ffffffffc02662ed [qed]\n qed_dbg_protection_override_dump at ffffffffc0267792 [qed]\n qed_dbg_feature at ffffffffc026aa8f [qed]\n qed_dbg_all_data at ffffffffc026b211 [qed]\n qed_fw_fatal_reporter_dump at ffffffffc027298a [qed]\n devlink_health_do_dump at ffffffff82497f61\n devlink_health_report at ffffffff8249cf29\n qed_report_fatal_error at ffffffffc0272baf [qed]\n qede_sp_task at ffffffffc045ed32 [qede]\n process_one_work at ffffffff81d19783\n\nor the qedf storage driver path:\n\n [exception RIP: qed_grc_dump_addr_range+0x108]\n qed_protection_override_dump at ffffffffc068b2ed [qed]\n qed_dbg_protection_override_dump at ffffffffc068c792 [qed]\n qed_dbg_feature at ffffffffc068fa8f [qed]\n qed_dbg_all_data at ffffffffc0690211 [qed]\n qed_fw_fatal_reporter_dump at ffffffffc069798a [qed]\n devlink_health_do_dump at ffffffff8aa95e51\n devlink_health_report at ffffffff8aa9ae19\n qed_report_fatal_error at ffffffffc0697baf [qed]\n qed_hw_err_notify at ffffffffc06d32d7 [qed]\n qed_spq_post at ffffffffc06b1011 [qed]\n qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed]\n qedf_cleanup_fcport at ffffffffc05e7597 [qedf]\n qedf_rport_event_handler at ffffffffc05e7bf7 [qedf]\n fc_rport_work at ffffffffc02da715 [libfc]\n process_one_work at ffffffff8a319663\n\nResolve this by clamping the firmware\u0027s return value to the maximum\nnumber of legal elements the firmware should return."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:05.967Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25672c620421fa2105703a94a29a03487245e6d6"
},
{
"url": "https://git.kernel.org/stable/c/e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c"
},
{
"url": "https://git.kernel.org/stable/c/8141910869596b7a3a5d9b46107da2191d523f82"
},
{
"url": "https://git.kernel.org/stable/c/ea53e6a47e148b490b1c652fc65d2de5a086df76"
},
{
"url": "https://git.kernel.org/stable/c/660b2a8f5a306a28c7efc1b4990ecc4912a68f87"
},
{
"url": "https://git.kernel.org/stable/c/70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3"
},
{
"url": "https://git.kernel.org/stable/c/56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37"
}
],
"title": "qed: Don\u0027t collect too many protection override GRC elements",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39949",
"datePublished": "2025-10-04T07:31:10.164Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:05.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68290 (GCVE-0-2025-68290)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: fix double free on late probe failure
The MOST subsystem has a non-standard registration function which frees
the interface on registration failures and on deregistration.
This unsurprisingly leads to bugs in the MOST drivers, and a couple of
recent changes turned a reference underflow and use-after-free in the
USB driver into several double free and a use-after-free on late probe
failures.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c Version: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c Version: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c Version: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c Version: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c Version: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c Version: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "a4c4118c2af284835b16431bbfe77e0130c06fef",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "0dece48660be16918ecf2dbdc7193e8be03e1693",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "993bfdc3842893c394de13c8200c338ebb979589",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "2274767dc02b756b25e3db1e31c0ed47c2a78442",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "8d8ffefe3d5d8b7b73efb866db61130107299c5c",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "baadf2a5c26e802a46573eaad331b427b49aaa36",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: fix double free on late probe failure\n\nThe MOST subsystem has a non-standard registration function which frees\nthe interface on registration failures and on deregistration.\n\nThis unsurprisingly leads to bugs in the MOST drivers, and a couple of\nrecent changes turned a reference underflow and use-after-free in the\nUSB driver into several double free and a use-after-free on late probe\nfailures."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:11.202Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154"
},
{
"url": "https://git.kernel.org/stable/c/a4c4118c2af284835b16431bbfe77e0130c06fef"
},
{
"url": "https://git.kernel.org/stable/c/0dece48660be16918ecf2dbdc7193e8be03e1693"
},
{
"url": "https://git.kernel.org/stable/c/993bfdc3842893c394de13c8200c338ebb979589"
},
{
"url": "https://git.kernel.org/stable/c/2274767dc02b756b25e3db1e31c0ed47c2a78442"
},
{
"url": "https://git.kernel.org/stable/c/8d8ffefe3d5d8b7b73efb866db61130107299c5c"
},
{
"url": "https://git.kernel.org/stable/c/baadf2a5c26e802a46573eaad331b427b49aaa36"
}
],
"title": "most: usb: fix double free on late probe failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68290",
"datePublished": "2025-12-16T15:06:11.202Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:11.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68291 (GCVE-0-2025-68291)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2026-01-11 16:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
syzbot reported divide-by-zero in __tcp_select_window() by
MPTCP socket. [0]
We had a similar issue for the bare TCP and fixed in commit
499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead
of 0").
Let's apply the same fix to mptcp_do_fastclose().
[0]:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336
Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00
RSP: 0018:ffffc90003017640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028
R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0
Call Trace:
<TASK>
tcp_select_window net/ipv4/tcp_output.c:281 [inline]
__tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568
tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]
tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836
mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793
mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253
mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776
mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xe5/0x270 net/socket.c:742
__sys_sendto+0x3bd/0x520 net/socket.c:2244
__do_sys_sendto net/socket.c:2251 [inline]
__se_sys_sendto net/socket.c:2247 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2247
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66e998f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006
</TASK>
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46b8b58f93f1b383c3840fc6e8fab6c3bce9295f",
"status": "affected",
"version": "9ea05fabce31ff93a0adae8221c58bc6d7b832f3",
"versionType": "git"
},
{
"lessThan": "eee39f83246a81d970a9ecb7392b7ab74e660094",
"status": "affected",
"version": "3a13454fd098ed51e733958488f8ec62859a9ed8",
"versionType": "git"
},
{
"lessThan": "05f5e26d488cdc7abc2a826cf1071782d5a21203",
"status": "affected",
"version": "f6fb2cbc91a81178dea23d463503b4525a76825d",
"versionType": "git"
},
{
"lessThan": "88163f85d59b4164884df900ee171720fd26686b",
"status": "affected",
"version": "c4f7b0916b95fd2226e5ab98882482b08f52e1c0",
"versionType": "git"
},
{
"lessThan": "f07f4ea53e22429c84b20832fa098b5ecc0d4e35",
"status": "affected",
"version": "ae155060247be8dcae3802a95bd1bdf93ab3215d",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.160",
"status": "affected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThan": "6.6.120",
"status": "affected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThan": "6.12.61",
"status": "affected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThan": "6.17.11",
"status": "affected",
"version": "6.17.10",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().\n\nsyzbot reported divide-by-zero in __tcp_select_window() by\nMPTCP socket. [0]\n\nWe had a similar issue for the bare TCP and fixed in commit\n499350a5a6e7 (\"tcp: initialize rcv_mss to TCP_MIN_MSS instead\nof 0\").\n\nLet\u0027s apply the same fix to mptcp_do_fastclose().\n\n[0]:\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nRIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336\nCode: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 \u003cf7\u003e 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00\nRSP: 0018:ffffc90003017640 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028\nR10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n tcp_select_window net/ipv4/tcp_output.c:281 [inline]\n __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568\n tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]\n tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836\n mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793\n mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253\n mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776\n mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xe5/0x270 net/socket.c:742\n __sys_sendto+0x3bd/0x520 net/socket.c:2244\n __do_sys_sendto net/socket.c:2251 [inline]\n __se_sys_sendto net/socket.c:2247 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2247\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f66e998f749\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:41.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46b8b58f93f1b383c3840fc6e8fab6c3bce9295f"
},
{
"url": "https://git.kernel.org/stable/c/eee39f83246a81d970a9ecb7392b7ab74e660094"
},
{
"url": "https://git.kernel.org/stable/c/05f5e26d488cdc7abc2a826cf1071782d5a21203"
},
{
"url": "https://git.kernel.org/stable/c/88163f85d59b4164884df900ee171720fd26686b"
},
{
"url": "https://git.kernel.org/stable/c/f07f4ea53e22429c84b20832fa098b5ecc0d4e35"
}
],
"title": "mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68291",
"datePublished": "2025-12-16T15:06:12.095Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-01-11T16:29:41.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40149 (GCVE-0-2025-40149)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
get_netdev_for_sock() is called during setsockopt(),
so not under RCU.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
Note that the only ->ndo_sk_get_lower_dev() user is
bond_sk_get_lower_dev(), which uses RCU.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e8f69799810c32dd40c6724d829eccc70baad07f Version: e8f69799810c32dd40c6724d829eccc70baad07f Version: e8f69799810c32dd40c6724d829eccc70baad07f Version: e8f69799810c32dd40c6724d829eccc70baad07f Version: e8f69799810c32dd40c6724d829eccc70baad07f Version: e8f69799810c32dd40c6724d829eccc70baad07f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b1bef126bbb8d0da51491357559126d567c1dee",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "e37ca0092ddace60833790b4ad7a390408fb1be9",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "13159c7125636371543a82cb7bbae00ab36730cc",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "f09cd209359a23f88d4f3fa3d2379d057027e53c",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "feb474ddbf26b51f462ae2e60a12013bdcfc5407",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "c65f27b9c3be2269918e1cbad6d8884741f835c5",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().\n\nget_netdev_for_sock() is called during setsockopt(),\nso not under RCU.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu().\n\nNote that the only -\u003endo_sk_get_lower_dev() user is\nbond_sk_get_lower_dev(), which uses RCU."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:28.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b1bef126bbb8d0da51491357559126d567c1dee"
},
{
"url": "https://git.kernel.org/stable/c/e37ca0092ddace60833790b4ad7a390408fb1be9"
},
{
"url": "https://git.kernel.org/stable/c/13159c7125636371543a82cb7bbae00ab36730cc"
},
{
"url": "https://git.kernel.org/stable/c/f09cd209359a23f88d4f3fa3d2379d057027e53c"
},
{
"url": "https://git.kernel.org/stable/c/feb474ddbf26b51f462ae2e60a12013bdcfc5407"
},
{
"url": "https://git.kernel.org/stable/c/c65f27b9c3be2269918e1cbad6d8884741f835c5"
}
],
"title": "tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40149",
"datePublished": "2025-11-12T10:23:27.122Z",
"dateReserved": "2025-04-16T07:20:57.175Z",
"dateUpdated": "2026-02-06T16:31:28.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68813 (GCVE-0-2025-68813)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix ipv4 null-ptr-deref in route error path
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ed0de45a1008991fdaa27a0152befcb74d126a8b Version: ed0de45a1008991fdaa27a0152befcb74d126a8b Version: ed0de45a1008991fdaa27a0152befcb74d126a8b Version: ed0de45a1008991fdaa27a0152befcb74d126a8b Version: ed0de45a1008991fdaa27a0152befcb74d126a8b Version: ed0de45a1008991fdaa27a0152befcb74d126a8b Version: ed0de45a1008991fdaa27a0152befcb74d126a8b Version: 6c2fa855d8178699706b1192db2f1f8102b0ba1e Version: fbf569d2beee2a4a7a0bc8b619c26101d1211a88 Version: ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38 Version: 3d988fcddbe7b8673a231958bd2fba61b5a7ced9 Version: 8a430e56a6485267a1b2d3747209d26c54d1a34b Version: 6bd1ee0a993fc9574ae43c1994c54a60cb23a380 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd72a93c80408f06327dd2d956eb1a656d0b5903",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "312d7cd88882fc6cadcc08b02287497aaaf94bcd",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "cdeff10851c37a002d87a035818ebd60fdb74447",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "4729ff0581fbb7ad098b6153b76b6f5aac94618a",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "25ab24df31f7af843c96a38e0781b9165216e1a8",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "689a627d14788ad772e0fa24c2e57a23dbc7ce90",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "ad891bb3d079a46a821bf2b8867854645191bab0",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"status": "affected",
"version": "6c2fa855d8178699706b1192db2f1f8102b0ba1e",
"versionType": "git"
},
{
"status": "affected",
"version": "fbf569d2beee2a4a7a0bc8b619c26101d1211a88",
"versionType": "git"
},
{
"status": "affected",
"version": "ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38",
"versionType": "git"
},
{
"status": "affected",
"version": "3d988fcddbe7b8673a231958bd2fba61b5a7ced9",
"versionType": "git"
},
{
"status": "affected",
"version": "8a430e56a6485267a1b2d3747209d26c54d1a34b",
"versionType": "git"
},
{
"status": "affected",
"version": "6bd1ee0a993fc9574ae43c1994c54a60cb23a380",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.139",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() \u2192 ipv4_send_dest_unreach() \u2192\n __ip_options_compile() \u2192 fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n \u003cTASK\u003e\n spec_dst_fill net/ipv4/ip_options.c:232\n spec_dst_fill net/ipv4/ip_options.c:229\n __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n ipv4_send_dest_unreach net/ipv4/route.c:1252\n ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n dst_link_failure include/net/dst.h:437\n __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:02.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903"
},
{
"url": "https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd"
},
{
"url": "https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447"
},
{
"url": "https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a"
},
{
"url": "https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8"
},
{
"url": "https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90"
},
{
"url": "https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0"
}
],
"title": "ipvs: fix ipv4 null-ptr-deref in route error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68813",
"datePublished": "2026-01-13T15:29:18.483Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:02.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40140 (GCVE-0-2025-40140)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.
This is the sequence of events that leads to the warning:
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb);
}
rtl8150_set_multicast() {
netif_stop_queue();
netif_wake_queue(); <-- wakes up TX queue before URB is done
}
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb); <-- double submission
}
rtl8150_set_multicast being the ndo_set_rx_mode callback should not be
calling netif_stop_queue and notif_start_queue as these handle
TX queue synchronization.
The net core function dev_set_rx_mode handles the synchronization
for rtl8150_set_multicast making it safe to remove these locks.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cce3c0e21cdd15bcba5c35d3af1700186de8f187",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a08a37ac03d07a1608a1592791041cac979fbc3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "54f8ef1a970a8376e5846ed90854decf7c00555d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "114e05344763a102a8844efd96ec06ba99293ccd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6394bade9daab8e318c165fe43bba012bf13cd8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6053e47bbf212b93c051beb4261d7d5a409d0ce3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d72df7f5eac946f853bf49c428c4e87a17d91da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "958baf5eaee394e5fd976979b0791a875f14a179",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast\n\nsyzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.\nThis is the sequence of events that leads to the warning:\n\nrtl8150_start_xmit() {\n\tnetif_stop_queue();\n\tusb_submit_urb(dev-\u003etx_urb);\n}\n\nrtl8150_set_multicast() {\n\tnetif_stop_queue();\n\tnetif_wake_queue();\t\t\u003c-- wakes up TX queue before URB is done\n}\n\nrtl8150_start_xmit() {\n\tnetif_stop_queue();\n\tusb_submit_urb(dev-\u003etx_urb);\t\u003c-- double submission\n}\n\nrtl8150_set_multicast being the ndo_set_rx_mode callback should not be\ncalling netif_stop_queue and notif_start_queue as these handle\nTX queue synchronization.\n\nThe net core function dev_set_rx_mode handles the synchronization\nfor rtl8150_set_multicast making it safe to remove these locks."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:48.351Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cce3c0e21cdd15bcba5c35d3af1700186de8f187"
},
{
"url": "https://git.kernel.org/stable/c/1a08a37ac03d07a1608a1592791041cac979fbc3"
},
{
"url": "https://git.kernel.org/stable/c/54f8ef1a970a8376e5846ed90854decf7c00555d"
},
{
"url": "https://git.kernel.org/stable/c/114e05344763a102a8844efd96ec06ba99293ccd"
},
{
"url": "https://git.kernel.org/stable/c/6394bade9daab8e318c165fe43bba012bf13cd8e"
},
{
"url": "https://git.kernel.org/stable/c/6053e47bbf212b93c051beb4261d7d5a409d0ce3"
},
{
"url": "https://git.kernel.org/stable/c/9d72df7f5eac946f853bf49c428c4e87a17d91da"
},
{
"url": "https://git.kernel.org/stable/c/958baf5eaee394e5fd976979b0791a875f14a179"
}
],
"title": "net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40140",
"datePublished": "2025-11-12T10:23:24.586Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:48.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36927 (GCVE-0-2024-36927)
Vulnerability from cvelistv5
Published
2024-05-30 15:29
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix uninit-value access in __ip_make_skb()
KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()
tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a
race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL
while __ip_make_skb() is running, the function will access icmphdr in the
skb even if it is not included. This causes the issue reported by KMSAN.
Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL
on the socket.
Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These
are union in struct flowi4 and are implicitly initialized by
flowi4_init_output(), but we should not rely on specific union layout.
Initialize these explicitly in raw_sendmsg().
[1]
BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
__ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
ip_finish_skb include/net/ip.h:243 [inline]
ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508
raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654
inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x274/0x3c0 net/socket.c:745
__sys_sendto+0x62c/0x7b0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x130/0x200 net/socket.c:2199
do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1318 [inline]
__ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128
ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365
raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648
inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x274/0x3c0 net/socket.c:745
__sys_sendto+0x62c/0x7b0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x130/0x200 net/socket.c:2199
do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 566785731c6dd41ef815196ddc36d1ae30a63763 Version: a54ec573d9b81b05d368f8e6edc1b3e49f688658 Version: fc60067260c20da8cddcf968bec47416f3e2cde2 Version: 99e5acae193e369b71217efe6f1dad42f3f18815 Version: 99e5acae193e369b71217efe6f1dad42f3f18815 Version: 99e5acae193e369b71217efe6f1dad42f3f18815 Version: dc4e3bb0710178c8d03fc43064e0a71fe7440cdd Version: 022ea4374c319690c804706bda9dc42946d1556d Version: 27c468ec1af113f6ae94fb5378f65e6038bd16e7 Version: 32a5a13d556e4f804e5a447a08c70b172d600707 Version: 9e3c96aed8fe32907e0a4bca05aad457629a820c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36927",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-30T18:44:15.154993Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:46.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:30:11.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_output.c",
"net/ipv4/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88c66f1879f322f11de34d37b2d3d87497afdcb6",
"status": "affected",
"version": "566785731c6dd41ef815196ddc36d1ae30a63763",
"versionType": "git"
},
{
"lessThan": "20d3eb00ab81462d554ac6d09691b8d9aa5a5741",
"status": "affected",
"version": "a54ec573d9b81b05d368f8e6edc1b3e49f688658",
"versionType": "git"
},
{
"lessThan": "55bf541e018b76b3750cb6c6ea18c46e1ac5562e",
"status": "affected",
"version": "fc60067260c20da8cddcf968bec47416f3e2cde2",
"versionType": "git"
},
{
"lessThan": "5db08343ddb1b239320612036c398e4e1bb52818",
"status": "affected",
"version": "99e5acae193e369b71217efe6f1dad42f3f18815",
"versionType": "git"
},
{
"lessThan": "f5c603ad4e6fcf42f84053e882ebe20184bb309e",
"status": "affected",
"version": "99e5acae193e369b71217efe6f1dad42f3f18815",
"versionType": "git"
},
{
"lessThan": "fc1092f51567277509563800a3c56732070b6aa4",
"status": "affected",
"version": "99e5acae193e369b71217efe6f1dad42f3f18815",
"versionType": "git"
},
{
"status": "affected",
"version": "dc4e3bb0710178c8d03fc43064e0a71fe7440cdd",
"versionType": "git"
},
{
"status": "affected",
"version": "022ea4374c319690c804706bda9dc42946d1556d",
"versionType": "git"
},
{
"status": "affected",
"version": "27c468ec1af113f6ae94fb5378f65e6038bd16e7",
"versionType": "git"
},
{
"status": "affected",
"version": "32a5a13d556e4f804e5a447a08c70b172d600707",
"versionType": "git"
},
{
"status": "affected",
"version": "9e3c96aed8fe32907e0a4bca05aad457629a820c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_output.c",
"net/ipv4/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "6.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix uninit-value access in __ip_make_skb()\n\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\nwhile __ip_make_skb() is running, the function will access icmphdr in the\nskb even if it is not included. This causes the issue reported by KMSAN.\n\nCheck FLOWI_FLAG_KNOWN_NH on fl4-\u003eflowi4_flags instead of testing HDRINCL\non the socket.\n\nAlso, fl4-\u003efl4_icmp_type and fl4-\u003efl4_icmp_code are not initialized. These\nare union in struct flowi4 and are implicitly initialized by\nflowi4_init_output(), but we should not rely on specific union layout.\n\nInitialize these explicitly in raw_sendmsg().\n\n[1]\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n ip_finish_skb include/net/ip.h:243 [inline]\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:47.098Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88c66f1879f322f11de34d37b2d3d87497afdcb6"
},
{
"url": "https://git.kernel.org/stable/c/20d3eb00ab81462d554ac6d09691b8d9aa5a5741"
},
{
"url": "https://git.kernel.org/stable/c/55bf541e018b76b3750cb6c6ea18c46e1ac5562e"
},
{
"url": "https://git.kernel.org/stable/c/5db08343ddb1b239320612036c398e4e1bb52818"
},
{
"url": "https://git.kernel.org/stable/c/f5c603ad4e6fcf42f84053e882ebe20184bb309e"
},
{
"url": "https://git.kernel.org/stable/c/fc1092f51567277509563800a3c56732070b6aa4"
}
],
"title": "ipv4: Fix uninit-value access in __ip_make_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36927",
"datePublished": "2024-05-30T15:29:20.275Z",
"dateReserved": "2024-05-30T15:25:07.069Z",
"dateUpdated": "2026-01-19T12:17:47.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68363 (GCVE-0-2025-68363)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
The bpf_skb_check_mtu helper needs to use skb->transport_header when
the BPF_MTU_CHK_SEGS flag is used:
bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)
The transport_header is not always set. There is a WARN_ON_ONCE
report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set +
bpf_prog_test_run is used:
WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071
skb_gso_validate_network_len
bpf_skb_check_mtu
bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch
bpf_test_run
bpf_prog_test_run_skb
For a normal ingress skb (not test_run), skb_reset_transport_header
is performed but there is plan to avoid setting it as described in
commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").
This patch fixes the bpf helper by checking
skb_transport_header_was_set(). The check is done just before
skb->transport_header is used, to avoid breaking the existing bpf prog.
The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 34b2021cc61642d61c3cf943d9e71925b827941b Version: 34b2021cc61642d61c3cf943d9e71925b827941b Version: 34b2021cc61642d61c3cf943d9e71925b827941b Version: 34b2021cc61642d61c3cf943d9e71925b827941b Version: 34b2021cc61642d61c3cf943d9e71925b827941b Version: 34b2021cc61642d61c3cf943d9e71925b827941b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3171a5e4622e915e94599a55f4964078bdec27e",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "97b876fa88322625228792cf7a5fd77531815a80",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "30ce906557a21adef4cba5901c8e995dc18263a9",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "1c30e4afc5507f0069cc09bd561e510e4d97fbf7",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
},
{
"lessThan": "d946f3c98328171fa50ddb908593cf833587f725",
"status": "affected",
"version": "34b2021cc61642d61c3cf943d9e71925b827941b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu\n\nThe bpf_skb_check_mtu helper needs to use skb-\u003etransport_header when\nthe BPF_MTU_CHK_SEGS flag is used:\n\n\tbpf_skb_check_mtu(skb, ifindex, \u0026mtu_len, 0, BPF_MTU_CHK_SEGS)\n\nThe transport_header is not always set. There is a WARN_ON_ONCE\nreport when CONFIG_DEBUG_NET is enabled + skb-\u003egso_size is set +\nbpf_prog_test_run is used:\n\nWARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071\n skb_gso_validate_network_len\n bpf_skb_check_mtu\n bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch\n bpf_test_run\n bpf_prog_test_run_skb\n\nFor a normal ingress skb (not test_run), skb_reset_transport_header\nis performed but there is plan to avoid setting it as described in\ncommit 2170a1f09148 (\"net: no longer reset transport_header in __netif_receive_skb_core()\").\n\nThis patch fixes the bpf helper by checking\nskb_transport_header_was_set(). The check is done just before\nskb-\u003etransport_header is used, to avoid breaking the existing bpf prog.\nThe WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:58.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27e"
},
{
"url": "https://git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80"
},
{
"url": "https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9"
},
{
"url": "https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7"
},
{
"url": "https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5"
},
{
"url": "https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725"
}
],
"title": "bpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68363",
"datePublished": "2025-12-24T10:32:51.236Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-02-09T08:31:58.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68794 (GCVE-0-2025-68794)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iomap: adjust read range correctly for non-block-aligned positions
iomap_adjust_read_range() assumes that the position and length passed in
are block-aligned. This is not always the case however, as shown in the
syzbot generated case for erofs. This causes too many bytes to be
skipped for uptodate blocks, which results in returning the incorrect
position and length to read in. If all the blocks are uptodate, this
underflows length and returns a position beyond the folio.
Fix the calculation to also take into account the block offset when
calculating how many bytes can be skipped for uptodate blocks.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/iomap/buffered-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82b60ffbb532d919959702768dca04c3c0500ae5",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "142194fb21afe964d2d194cab1fc357cbf87e899",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "7aa6bc3e8766990824f66ca76c19596ce10daf3e",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/iomap/buffered-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: adjust read range correctly for non-block-aligned positions\n\niomap_adjust_read_range() assumes that the position and length passed in\nare block-aligned. This is not always the case however, as shown in the\nsyzbot generated case for erofs. This causes too many bytes to be\nskipped for uptodate blocks, which results in returning the incorrect\nposition and length to read in. If all the blocks are uptodate, this\nunderflows length and returns a position beyond the folio.\n\nFix the calculation to also take into account the block offset when\ncalculating how many bytes can be skipped for uptodate blocks."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:41.860Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82b60ffbb532d919959702768dca04c3c0500ae5"
},
{
"url": "https://git.kernel.org/stable/c/12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e"
},
{
"url": "https://git.kernel.org/stable/c/142194fb21afe964d2d194cab1fc357cbf87e899"
},
{
"url": "https://git.kernel.org/stable/c/7aa6bc3e8766990824f66ca76c19596ce10daf3e"
}
],
"title": "iomap: adjust read range correctly for non-block-aligned positions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68794",
"datePublished": "2026-01-13T15:29:05.553Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-02-09T08:33:41.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68801 (GCVE-0-2025-68801)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_router: Fix neighbour use-after-free
We sometimes observe use-after-free when dereferencing a neighbour [1].
The problem seems to be that the driver stores a pointer to the
neighbour, but without holding a reference on it. A reference is only
taken when the neighbour is used by a nexthop.
Fix by simplifying the reference counting scheme. Always take a
reference when storing a neighbour pointer in a neighbour entry. Avoid
taking a referencing when the neighbour is used by a nexthop as the
neighbour entry associated with the nexthop already holds a reference.
Tested by running the test that uncovered the problem over 300 times.
Without this patch the problem was reproduced after a handful of
iterations.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310
Read of size 8 at addr ffff88817f8e3420 by task ip/3929
CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_address_description.constprop.0+0x6e/0x300
print_report+0xfc/0x1fb
kasan_report+0xe4/0x110
mlxsw_sp_neigh_entry_update+0x2d4/0x310
mlxsw_sp_router_rif_gone_sync+0x35f/0x510
mlxsw_sp_rif_destroy+0x1ea/0x730
mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0
__mlxsw_sp_inetaddr_lag_event+0xcc/0x130
__mlxsw_sp_inetaddr_event+0xf5/0x3c0
mlxsw_sp_router_netdevice_event+0x1015/0x1580
notifier_call_chain+0xcc/0x150
call_netdevice_notifiers_info+0x7e/0x100
__netdev_upper_dev_unlink+0x10b/0x210
netdev_upper_dev_unlink+0x79/0xa0
vrf_del_slave+0x18/0x50
do_set_master+0x146/0x7d0
do_setlink.isra.0+0x9a0/0x2880
rtnl_newlink+0x637/0xb20
rtnetlink_rcv_msg+0x6fe/0xb90
netlink_rcv_skb+0x123/0x380
netlink_unicast+0x4a3/0x770
netlink_sendmsg+0x75b/0xc90
__sock_sendmsg+0xbe/0x160
____sys_sendmsg+0x5b2/0x7d0
___sys_sendmsg+0xfd/0x180
__sys_sendmsg+0x124/0x1c0
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[...]
Allocated by task 109:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x2c1/0x790
neigh_alloc+0x6af/0x8f0
___neigh_create+0x63/0xe90
mlxsw_sp_nexthop_neigh_init+0x430/0x7e0
mlxsw_sp_nexthop_type_init+0x212/0x960
mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280
mlxsw_sp_nexthop6_group_get+0x392/0x6a0
mlxsw_sp_fib6_entry_create+0x46a/0xfd0
mlxsw_sp_router_fib6_replace+0x1ed/0x5f0
mlxsw_sp_router_fib6_event_work+0x10a/0x2a0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Freed by task 154:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kmem_cache_free_bulk.part.0+0x1eb/0x5e0
kvfree_rcu_bulk+0x1f2/0x260
kfree_rcu_work+0x130/0x1b0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Last potentially related work creation:
kasan_save_stack+0x30/0x50
kasan_record_aux_stack+0x8c/0xa0
kvfree_call_rcu+0x93/0x5b0
mlxsw_sp_router_neigh_event_work+0x67d/0x860
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6cf3c971dc84cb36579515ddb488919b9e9fb6de Version: 6cf3c971dc84cb36579515ddb488919b9e9fb6de Version: 6cf3c971dc84cb36579515ddb488919b9e9fb6de Version: 6cf3c971dc84cb36579515ddb488919b9e9fb6de Version: 6cf3c971dc84cb36579515ddb488919b9e9fb6de Version: 6cf3c971dc84cb36579515ddb488919b9e9fb6de Version: 6cf3c971dc84cb36579515ddb488919b9e9fb6de |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2dfe6758fc63e542105bee8b17a3a7485684db0",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "c437fbfd4382412598cdda1f8e2881b523668cc2",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "4a3c569005f42ab5e5b2ad637132a33bf102cc08",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "675c5aeadf6472672c472dc0f26401e4fcfbf254",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "8b0e69763ef948fb872a7767df4be665d18f5fd4",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_router: Fix neighbour use-after-free\n\nWe sometimes observe use-after-free when dereferencing a neighbour [1].\nThe problem seems to be that the driver stores a pointer to the\nneighbour, but without holding a reference on it. A reference is only\ntaken when the neighbour is used by a nexthop.\n\nFix by simplifying the reference counting scheme. Always take a\nreference when storing a neighbour pointer in a neighbour entry. Avoid\ntaking a referencing when the neighbour is used by a nexthop as the\nneighbour entry associated with the nexthop already holds a reference.\n\nTested by running the test that uncovered the problem over 300 times.\nWithout this patch the problem was reproduced after a handful of\niterations.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310\nRead of size 8 at addr ffff88817f8e3420 by task ip/3929\n\nCPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)\nHardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xa0\n print_address_description.constprop.0+0x6e/0x300\n print_report+0xfc/0x1fb\n kasan_report+0xe4/0x110\n mlxsw_sp_neigh_entry_update+0x2d4/0x310\n mlxsw_sp_router_rif_gone_sync+0x35f/0x510\n mlxsw_sp_rif_destroy+0x1ea/0x730\n mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0\n __mlxsw_sp_inetaddr_lag_event+0xcc/0x130\n __mlxsw_sp_inetaddr_event+0xf5/0x3c0\n mlxsw_sp_router_netdevice_event+0x1015/0x1580\n notifier_call_chain+0xcc/0x150\n call_netdevice_notifiers_info+0x7e/0x100\n __netdev_upper_dev_unlink+0x10b/0x210\n netdev_upper_dev_unlink+0x79/0xa0\n vrf_del_slave+0x18/0x50\n do_set_master+0x146/0x7d0\n do_setlink.isra.0+0x9a0/0x2880\n rtnl_newlink+0x637/0xb20\n rtnetlink_rcv_msg+0x6fe/0xb90\n netlink_rcv_skb+0x123/0x380\n netlink_unicast+0x4a3/0x770\n netlink_sendmsg+0x75b/0xc90\n __sock_sendmsg+0xbe/0x160\n ____sys_sendmsg+0x5b2/0x7d0\n ___sys_sendmsg+0xfd/0x180\n __sys_sendmsg+0x124/0x1c0\n do_syscall_64+0xbb/0xfd0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n[...]\n\nAllocated by task 109:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x2c1/0x790\n neigh_alloc+0x6af/0x8f0\n ___neigh_create+0x63/0xe90\n mlxsw_sp_nexthop_neigh_init+0x430/0x7e0\n mlxsw_sp_nexthop_type_init+0x212/0x960\n mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280\n mlxsw_sp_nexthop6_group_get+0x392/0x6a0\n mlxsw_sp_fib6_entry_create+0x46a/0xfd0\n mlxsw_sp_router_fib6_replace+0x1ed/0x5f0\n mlxsw_sp_router_fib6_event_work+0x10a/0x2a0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nFreed by task 154:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x43/0x70\n kmem_cache_free_bulk.part.0+0x1eb/0x5e0\n kvfree_rcu_bulk+0x1f2/0x260\n kfree_rcu_work+0x130/0x1b0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nLast potentially related work creation:\n kasan_save_stack+0x30/0x50\n kasan_record_aux_stack+0x8c/0xa0\n kvfree_call_rcu+0x93/0x5b0\n mlxsw_sp_router_neigh_event_work+0x67d/0x860\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:49.549Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0"
},
{
"url": "https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc"
},
{
"url": "https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2"
},
{
"url": "https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08"
},
{
"url": "https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a"
},
{
"url": "https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254"
},
{
"url": "https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4"
}
],
"title": "mlxsw: spectrum_router: Fix neighbour use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68801",
"datePublished": "2026-01-13T15:29:10.349Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:49.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23120 (GCVE-0-2026-23120)
Vulnerability from cvelistv5
Published
2026-02-14 15:09
Modified
2026-02-14 15:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: avoid one data-race in l2tp_tunnel_del_work()
We should read sk->sk_socket only when dealing with kernel sockets.
syzbot reported the following data-race:
BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
sk_set_socket include/net/sock.h:2092 [inline]
sock_orphan include/net/sock.h:2118 [inline]
sk_common_release+0xae/0x230 net/core/sock.c:4003
udp_lib_close+0x15/0x20 include/net/udp.h:325
inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
__sock_release net/socket.c:662 [inline]
sock_close+0x6b/0x150 net/socket.c:1455
__fput+0x29b/0x650 fs/file_table.c:468
____fput+0x1c/0x30 fs/file_table.c:496
task_work_run+0x131/0x1a0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0xffff88811b818000 -> 0x0000000000000000
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d00fa9adc528c1b0e64d532556764852df8bd7b9 Version: d00fa9adc528c1b0e64d532556764852df8bd7b9 Version: d00fa9adc528c1b0e64d532556764852df8bd7b9 Version: d00fa9adc528c1b0e64d532556764852df8bd7b9 Version: d00fa9adc528c1b0e64d532556764852df8bd7b9 Version: d00fa9adc528c1b0e64d532556764852df8bd7b9 Version: d00fa9adc528c1b0e64d532556764852df8bd7b9 Version: 15df699fdc5af46a9fb15ae2d9326294852de5b5 Version: 18bdaefc715b4530b4b2fe670506bb47713664cc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "36c40a80109f1771d59558050b1a71e13c60c759",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "eae074dab764ea181bbed5e88626889319177498",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "68e92085427c84e7679ddb53c0d68836d220b6e7",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "3d6d414b214ce31659bded2f8df50c93a3769474",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "32d417497b79efb403d75f4c185fe6fd9d64b94f",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "7a29f6bf60f2590fe5e9c4decb451e19afad2bcf",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"status": "affected",
"version": "15df699fdc5af46a9fb15ae2d9326294852de5b5",
"versionType": "git"
},
{
"status": "affected",
"version": "18bdaefc715b4530b4b2fe670506bb47713664cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: avoid one data-race in l2tp_tunnel_del_work()\n\nWe should read sk-\u003esk_socket only when dealing with kernel sockets.\n\nsyzbot reported the following data-race:\n\nBUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release\n\nwrite to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:\n sk_set_socket include/net/sock.h:2092 [inline]\n sock_orphan include/net/sock.h:2118 [inline]\n sk_common_release+0xae/0x230 net/core/sock.c:4003\n udp_lib_close+0x15/0x20 include/net/udp.h:325\n inet_release+0xce/0xf0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:662 [inline]\n sock_close+0x6b/0x150 net/socket.c:1455\n __fput+0x29b/0x650 fs/file_table.c:468\n ____fput+0x1c/0x30 fs/file_table.c:496\n task_work_run+0x131/0x1a0 kernel/task_work.c:233\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]\n exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:\n l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340\n worker_thread+0x582/0x770 kernel/workqueue.c:3421\n kthread+0x489/0x510 kernel/kthread.c:463\n ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nvalue changed: 0xffff88811b818000 -\u003e 0x0000000000000000"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:51.223Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4"
},
{
"url": "https://git.kernel.org/stable/c/36c40a80109f1771d59558050b1a71e13c60c759"
},
{
"url": "https://git.kernel.org/stable/c/eae074dab764ea181bbed5e88626889319177498"
},
{
"url": "https://git.kernel.org/stable/c/68e92085427c84e7679ddb53c0d68836d220b6e7"
},
{
"url": "https://git.kernel.org/stable/c/3d6d414b214ce31659bded2f8df50c93a3769474"
},
{
"url": "https://git.kernel.org/stable/c/32d417497b79efb403d75f4c185fe6fd9d64b94f"
},
{
"url": "https://git.kernel.org/stable/c/7a29f6bf60f2590fe5e9c4decb451e19afad2bcf"
}
],
"title": "l2tp: avoid one data-race in l2tp_tunnel_del_work()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23120",
"datePublished": "2026-02-14T15:09:51.223Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:51.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39883 (GCVE-0-2025-39883)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
When I did memory failure tests, below panic occurs:
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))
kernel BUG at include/linux/page-flags.h:616!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Call Trace:
<TASK>
unpoison_memory+0x2f3/0x590
simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110
debugfs_attr_write+0x42/0x60
full_proxy_write+0x5b/0x80
vfs_write+0xd5/0x540
ksys_write+0x64/0xe0
do_syscall_64+0xb9/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08f0314887
RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887
RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001
RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00
</TASK>
Modules linked in: hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
The root cause is that unpoison_memory() tries to check the PG_HWPoison
flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is
triggered. This can be reproduced by below steps:
1.Offline memory block:
echo offline > /sys/devices/system/memory/memory12/state
2.Get offlined memory pfn:
page-types -b n -rlN
3.Write pfn to unpoison-pfn
echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn
This scenario can be identified by pfn_to_online_page() returning NULL.
And ZONE_DEVICE pages are never expected, so we can simply fail if
pfn_to_online_page() == NULL to fix the bug.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe Version: f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:24.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e01ea186a52c90694c08a9ff57bea1b0e78256a",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "fb65803ccff37cf9123c50c1c02efd1ed73c4ed5",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "99f7048957f5ae3cee1c01189147e73a9a96de02",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "e4ec6def5643a1c9511115b3884eb879572294c6",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "7618fd443aa4cfa553a64cacf5721581653ee7b0",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
},
{
"lessThan": "d613f53c83ec47089c4e25859d5e8e0359f6f8da",
"status": "affected",
"version": "f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\n\nWhen I did memory failure tests, below panic occurs:\n\npage dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))\nkernel BUG at include/linux/page-flags.h:616!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n unpoison_memory+0x2f3/0x590\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xd5/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xb9/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08f0314887\nRSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887\nRDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001\nRBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009\nR13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00\n \u003c/TASK\u003e\nModules linked in: hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe root cause is that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is\ntriggered. This can be reproduced by below steps:\n\n1.Offline memory block:\n\n echo offline \u003e /sys/devices/system/memory/memory12/state\n\n2.Get offlined memory pfn:\n\n page-types -b n -rlN\n\n3.Write pfn to unpoison-pfn\n\n echo \u003cpfn\u003e \u003e /sys/kernel/debug/hwpoison/unpoison-pfn\n\nThis scenario can be identified by pfn_to_online_page() returning NULL. \nAnd ZONE_DEVICE pages are never expected, so we can simply fail if\npfn_to_online_page() == NULL to fix the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:26.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e01ea186a52c90694c08a9ff57bea1b0e78256a"
},
{
"url": "https://git.kernel.org/stable/c/fb65803ccff37cf9123c50c1c02efd1ed73c4ed5"
},
{
"url": "https://git.kernel.org/stable/c/99f7048957f5ae3cee1c01189147e73a9a96de02"
},
{
"url": "https://git.kernel.org/stable/c/e4ec6def5643a1c9511115b3884eb879572294c6"
},
{
"url": "https://git.kernel.org/stable/c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a"
},
{
"url": "https://git.kernel.org/stable/c/7618fd443aa4cfa553a64cacf5721581653ee7b0"
},
{
"url": "https://git.kernel.org/stable/c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96"
},
{
"url": "https://git.kernel.org/stable/c/d613f53c83ec47089c4e25859d5e8e0359f6f8da"
}
],
"title": "mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39883",
"datePublished": "2025-09-23T06:00:51.548Z",
"dateReserved": "2025-04-16T07:20:57.144Z",
"dateUpdated": "2025-11-03T17:44:24.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68282 (GCVE-0-2025-68282)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2026-01-19 12:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: udc: fix use-after-free in usb_gadget_state_work
A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:
BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
Workqueue: events usb_gadget_state_work
The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().
Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.
This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c",
"include/linux/usb/gadget.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dddc944d65169b552e09cb54e3ed4fbb9ea26416",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "c12a0c3ef815ddd67e47f9c819f9fe822fed5467",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "f02a412c0a18f02f0f91b0a3d9788315a721b7fd",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "10014310193cf6736c1aeb4105c5f4a0818d0c65",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "baeb66fbd4201d1c4325074e78b1f557dff89b5b",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c",
"include/linux/usb/gadget.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: udc: fix use-after-free in usb_gadget_state_work\n\nA race condition during gadget teardown can lead to a use-after-free\nin usb_gadget_state_work(), as reported by KASAN:\n\n BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0\n Workqueue: events usb_gadget_state_work\n\nThe fundamental race occurs because a concurrent event (e.g., an\ninterrupt) can call usb_gadget_set_state() and schedule gadget-\u003ework\nat any time during the cleanup process in usb_del_gadget().\n\nCommit 399a45e5237c (\"usb: gadget: core: flush gadget workqueue after\ndevice removal\") attempted to fix this by moving flush_work() to after\ndevice_del(). However, this does not fully solve the race, as a new\nwork item can still be scheduled *after* flush_work() completes but\nbefore the gadget\u0027s memory is freed, leading to the same use-after-free.\n\nThis patch fixes the race condition robustly by introducing a \u0027teardown\u0027\nflag and a \u0027state_lock\u0027 spinlock to the usb_gadget struct. The flag is\nset during cleanup in usb_del_gadget() *before* calling flush_work() to\nprevent any new work from being scheduled once cleanup has commenced.\nThe scheduling site, usb_gadget_set_state(), now checks this flag under\nthe lock before queueing the work, thus safely closing the race window."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:16.378Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dddc944d65169b552e09cb54e3ed4fbb9ea26416"
},
{
"url": "https://git.kernel.org/stable/c/eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5"
},
{
"url": "https://git.kernel.org/stable/c/c12a0c3ef815ddd67e47f9c819f9fe822fed5467"
},
{
"url": "https://git.kernel.org/stable/c/f02a412c0a18f02f0f91b0a3d9788315a721b7fd"
},
{
"url": "https://git.kernel.org/stable/c/10014310193cf6736c1aeb4105c5f4a0818d0c65"
},
{
"url": "https://git.kernel.org/stable/c/3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9"
},
{
"url": "https://git.kernel.org/stable/c/baeb66fbd4201d1c4325074e78b1f557dff89b5b"
}
],
"title": "usb: gadget: udc: fix use-after-free in usb_gadget_state_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68282",
"datePublished": "2025-12-16T15:06:04.332Z",
"dateReserved": "2025-12-16T14:48:05.291Z",
"dateUpdated": "2026-01-19T12:18:16.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71086 (GCVE-0-2025-71086)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: fix invalid array index in rose_kill_by_device()
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().
Fix the index to use i.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 12e5a4719c99d7f4104e7e962393dfb8baa1c591 Version: c0e527c532a07556ca44642f5873b002c44da22c Version: 3e0d1585799d8a991eba9678f297fd78d9f1846e Version: ffced26692f83212aa09d0ece0213b23cc2f611d Version: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be Version: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be Version: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be Version: bd7de4734535140fda33240c2335a07fdab6f88e Version: b10265532df7bc3666bc53261b7f03f0fd14b1c9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "819fb41ae54960f66025802400c9d3935eef4042",
"status": "affected",
"version": "12e5a4719c99d7f4104e7e962393dfb8baa1c591",
"versionType": "git"
},
{
"lessThan": "ed2639414d43ba037f798eaf619e878309310451",
"status": "affected",
"version": "c0e527c532a07556ca44642f5873b002c44da22c",
"versionType": "git"
},
{
"lessThan": "1418c12cd3bba79dc56b57b61c99efe40f579981",
"status": "affected",
"version": "3e0d1585799d8a991eba9678f297fd78d9f1846e",
"versionType": "git"
},
{
"lessThan": "9f6185a32496834d6980b168cffcccc2d6b17280",
"status": "affected",
"version": "ffced26692f83212aa09d0ece0213b23cc2f611d",
"versionType": "git"
},
{
"lessThan": "b409ba9e1e63ccf3ab4cc061e33c1f804183543e",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"lessThan": "92d900aac3a5721fb54f3328f1e089b44a861c38",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"lessThan": "6595beb40fb0ec47223d3f6058ee40354694c8e4",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"status": "affected",
"version": "bd7de4734535140fda33240c2335a07fdab6f88e",
"versionType": "git"
},
{
"status": "affected",
"version": "b10265532df7bc3666bc53261b7f03f0fd14b1c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.266",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix invalid array index in rose_kill_by_device()\n\nrose_kill_by_device() collects sockets into a local array[] and then\niterates over them to disconnect sockets bound to a device being brought\ndown.\n\nThe loop mistakenly indexes array[cnt] instead of array[i]. For cnt \u003c\nARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==\nARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to\nan invalid socket pointer dereference and also leaks references taken\nvia sock_hold().\n\nFix the index to use i."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:37.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042"
},
{
"url": "https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451"
},
{
"url": "https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981"
},
{
"url": "https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280"
},
{
"url": "https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e"
},
{
"url": "https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38"
},
{
"url": "https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4"
}
],
"title": "net: rose: fix invalid array index in rose_kill_by_device()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71086",
"datePublished": "2026-01-13T15:34:49.007Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:37.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71093 (GCVE-0-2025-71093)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
e1000: fix OOB in e1000_tbi_should_accept()
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
==================================================================
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x5a/0x74
print_address_description+0x7b/0x440
print_report+0x101/0x200
kasan_report+0xc1/0xf0
e1000_tbi_should_accept+0x610/0x790
e1000_clean_rx_irq+0xa8c/0x1110
e1000_clean+0xde2/0x3c10
__napi_poll+0x98/0x380
net_rx_action+0x491/0xa20
__do_softirq+0x2c9/0x61d
do_softirq+0xd1/0x120
</IRQ>
<TASK>
__local_bh_enable_ip+0xfe/0x130
ip_finish_output2+0x7d5/0xb00
__ip_queue_xmit+0xe24/0x1ab0
__tcp_transmit_skb+0x1bcb/0x3340
tcp_write_xmit+0x175d/0x6bd0
__tcp_push_pending_frames+0x7b/0x280
tcp_sendmsg_locked+0x2e4f/0x32d0
tcp_sendmsg+0x24/0x40
sock_write_iter+0x322/0x430
vfs_write+0x56c/0xa60
ksys_write+0xd1/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f511b476b10
Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24
RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10
RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003
RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003
</TASK>
Allocated by task 1:
__kasan_krealloc+0x131/0x1c0
krealloc+0x90/0xc0
add_sysfs_param+0xcb/0x8a0
kernel_add_sysfs_param+0x81/0xd4
param_sysfs_builtin+0x138/0x1a6
param_sysfs_init+0x57/0x5b
do_one_initcall+0x104/0x250
do_initcall_level+0x102/0x132
do_initcalls+0x46/0x74
kernel_init_freeable+0x28f/0x393
kernel_init+0x14/0x1a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888014114000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1620 bytes to the right of
2048-byte region [ffff888014114000, ffff888014114800]
The buggy address belongs to the physical page:
page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110
head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
==================================================================
This happens because the TBI check unconditionally dereferences the last
byte without validating the reported length first:
u8 last_byte = *(data + length - 1);
Fix by rejecting the frame early if the length is zero, or if it exceeds
adapter->rx_buffer_len. This preserves the TBI workaround semantics for
valid frames and prevents touching memory beyond the RX buffer.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2037110c96d5f1dd71453fcd0d54e79be12a352b Version: 2037110c96d5f1dd71453fcd0d54e79be12a352b Version: 2037110c96d5f1dd71453fcd0d54e79be12a352b Version: 2037110c96d5f1dd71453fcd0d54e79be12a352b Version: 2037110c96d5f1dd71453fcd0d54e79be12a352b Version: 2037110c96d5f1dd71453fcd0d54e79be12a352b Version: 2037110c96d5f1dd71453fcd0d54e79be12a352b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/e1000/e1000_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ccfa56f272241e8d8e2c38191fdbb03df489d80",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "278b7cfe0d4da7502c7fd679b15032f014c92892",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "ad7a2a45e2417ac54089926b520924f8f0d91aea",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "2c4c0c09f9648ba766d399917d420d03e7b3e1f8",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "26c8bebc2f25288c2bcac7bc0a7662279a0e817c",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "ee7c125fb3e8b04dd46510130b9fc92380e5d578",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "9c72a5182ed92904d01057f208c390a303f00a0f",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/e1000/e1000_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000: fix OOB in e1000_tbi_should_accept()\n\nIn e1000_tbi_should_accept() we read the last byte of the frame via\n\u0027data[length - 1]\u0027 to evaluate the TBI workaround. If the descriptor-\nreported length is zero or larger than the actual RX buffer size, this\nread goes out of bounds and can hit unrelated slab objects. The issue\nis observed from the NAPI receive path (e1000_clean_rx_irq):\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790\nRead of size 1 at addr ffff888014114e54 by task sshd/363\n\nCPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x5a/0x74\n print_address_description+0x7b/0x440\n print_report+0x101/0x200\n kasan_report+0xc1/0xf0\n e1000_tbi_should_accept+0x610/0x790\n e1000_clean_rx_irq+0xa8c/0x1110\n e1000_clean+0xde2/0x3c10\n __napi_poll+0x98/0x380\n net_rx_action+0x491/0xa20\n __do_softirq+0x2c9/0x61d\n do_softirq+0xd1/0x120\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xfe/0x130\n ip_finish_output2+0x7d5/0xb00\n __ip_queue_xmit+0xe24/0x1ab0\n __tcp_transmit_skb+0x1bcb/0x3340\n tcp_write_xmit+0x175d/0x6bd0\n __tcp_push_pending_frames+0x7b/0x280\n tcp_sendmsg_locked+0x2e4f/0x32d0\n tcp_sendmsg+0x24/0x40\n sock_write_iter+0x322/0x430\n vfs_write+0x56c/0xa60\n ksys_write+0xd1/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f511b476b10\nCode: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24\nRSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10\nRDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003\nRBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00\nR10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003\n \u003c/TASK\u003e\nAllocated by task 1:\n __kasan_krealloc+0x131/0x1c0\n krealloc+0x90/0xc0\n add_sysfs_param+0xcb/0x8a0\n kernel_add_sysfs_param+0x81/0xd4\n param_sysfs_builtin+0x138/0x1a6\n param_sysfs_init+0x57/0x5b\n do_one_initcall+0x104/0x250\n do_initcall_level+0x102/0x132\n do_initcalls+0x46/0x74\n kernel_init_freeable+0x28f/0x393\n kernel_init+0x14/0x1a0\n ret_from_fork+0x22/0x30\nThe buggy address belongs to the object at ffff888014114000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1620 bytes to the right of\n 2048-byte region [ffff888014114000, ffff888014114800]\nThe buggy address belongs to the physical page:\npage:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110\nhead:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x100000000010200(slab|head|node=0|zone=1)\nraw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000\nraw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n==================================================================\n\nThis happens because the TBI check unconditionally dereferences the last\nbyte without validating the reported length first:\n\n\tu8 last_byte = *(data + length - 1);\n\nFix by rejecting the frame early if the length is zero, or if it exceeds\nadapter-\u003erx_buffer_len. This preserves the TBI workaround semantics for\nvalid frames and prevents touching memory beyond the RX buffer."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:45.622Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80"
},
{
"url": "https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892"
},
{
"url": "https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea"
},
{
"url": "https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8"
},
{
"url": "https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c"
},
{
"url": "https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578"
},
{
"url": "https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f"
}
],
"title": "e1000: fix OOB in e1000_tbi_should_accept()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71093",
"datePublished": "2026-01-13T15:34:53.803Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:45.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23119 (GCVE-0-2026-23119)
Vulnerability from cvelistv5
Published
2026-02-14 15:09
Modified
2026-02-14 15:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: provide a net pointer to __skb_flow_dissect()
After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect")
we have to provide a net pointer to __skb_flow_dissect(),
either via skb->dev, skb->sk, or a user provided pointer.
In the following case, syzbot was able to cook a bare skb.
WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053
Call Trace:
<TASK>
bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]
__bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157
bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]
bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]
bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515
xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388
bpf_prog_run_xdp include/net/xdp.h:700 [inline]
bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421
bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390
bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703
__sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 58deb77cc52da9360d20676e68dd215742cbe473 Version: 58deb77cc52da9360d20676e68dd215742cbe473 Version: 58deb77cc52da9360d20676e68dd215742cbe473 Version: 58deb77cc52da9360d20676e68dd215742cbe473 Version: 58deb77cc52da9360d20676e68dd215742cbe473 Version: 58deb77cc52da9360d20676e68dd215742cbe473 Version: 58deb77cc52da9360d20676e68dd215742cbe473 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e53780732ee881394406f79da5263b81eb48f7e",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "3be945abdd228fd00f6afcf8d137002867a4651b",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "f4faaa1297ecf3255a8591fff2633df05bd5ec84",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "0efee0b992f28bd5ee01c7a86ef6a307c42eb907",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "de97735a40a144974bf3896ee4cc0270db2e47db",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "5f9b329096596b7e53e07d041d7fca4cbe1be752",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: provide a net pointer to __skb_flow_dissect()\n\nAfter 3cbf4ffba5ee (\"net: plumb network namespace into __skb_flow_dissect\")\nwe have to provide a net pointer to __skb_flow_dissect(),\neither via skb-\u003edev, skb-\u003esk, or a user provided pointer.\n\nIn the following case, syzbot was able to cook a bare skb.\n\nWARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053\nCall Trace:\n \u003cTASK\u003e\n bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]\n __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157\n bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]\n bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]\n bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515\n xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388\n bpf_prog_run_xdp include/net/xdp.h:700 [inline]\n bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421\n bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390\n bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703\n __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182\n __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:50.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e53780732ee881394406f79da5263b81eb48f7e"
},
{
"url": "https://git.kernel.org/stable/c/3be945abdd228fd00f6afcf8d137002867a4651b"
},
{
"url": "https://git.kernel.org/stable/c/f4faaa1297ecf3255a8591fff2633df05bd5ec84"
},
{
"url": "https://git.kernel.org/stable/c/0efee0b992f28bd5ee01c7a86ef6a307c42eb907"
},
{
"url": "https://git.kernel.org/stable/c/bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa"
},
{
"url": "https://git.kernel.org/stable/c/de97735a40a144974bf3896ee4cc0270db2e47db"
},
{
"url": "https://git.kernel.org/stable/c/5f9b329096596b7e53e07d041d7fca4cbe1be752"
}
],
"title": "bonding: provide a net pointer to __skb_flow_dissect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23119",
"datePublished": "2026-02-14T15:09:50.517Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-02-14T15:09:50.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38591 (GCVE-0-2025-38591)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject narrower access to pointer ctx fields
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:
r0 = *(u8 *)(r1 + 169);
exit;
With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. Note that for the
"is_narrower_load" case in the convert_ctx_accesses(), the insn->off
is aligned, so the cnt may not be 0 because it matches the
offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,
the target_size stays 0 and the verifier errors with a kernel warning:
verifier bug: error during ctx access conversion(1)
This patch fixes that to return a proper "invalid bpf_context access
off=X size=Y" error on the load instruction.
The same issue affects multiple other fields in context structures that
allow narrow access. Some other non-affected fields (for sk_msg,
sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
consistency.
Note this syzkaller crash was reported in the "Closes" link below, which
used to be about a different bug, fixed in
commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions
in insn_def_regno()"). Because syzbot somehow confused the two bugs,
the new crash and repro didn't get reported to the mailing list.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f96da09473b52c09125cc9bf7d7d4576ae8229e0 Version: f96da09473b52c09125cc9bf7d7d4576ae8229e0 Version: f96da09473b52c09125cc9bf7d7d4576ae8229e0 Version: f96da09473b52c09125cc9bf7d7d4576ae8229e0 Version: f96da09473b52c09125cc9bf7d7d4576ae8229e0 Version: f96da09473b52c09125cc9bf7d7d4576ae8229e0 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cgroup.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7847c4140e06f6e87229faae22cc38525334c156",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "feae34c992eb7191862fb1594c704fbbf650fef8",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "33660d44e789edb4f303210c813fc56d56377a90",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "058a0da4f6d916a79b693384111bb80a90d73763",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "202900ceeef67458c964c2af6e1427c8e533ea7c",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
},
{
"lessThan": "e09299225d5ba3916c91ef70565f7d2187e4cca0",
"status": "affected",
"version": "f96da09473b52c09125cc9bf7d7d4576ae8229e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/cgroup.c",
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n r0 = *(u8 *)(r1 + 169);\n exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn\u0027t match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn-\u003eoff\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn\u0027t get reported to the mailing list."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:20.865Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7847c4140e06f6e87229faae22cc38525334c156"
},
{
"url": "https://git.kernel.org/stable/c/feae34c992eb7191862fb1594c704fbbf650fef8"
},
{
"url": "https://git.kernel.org/stable/c/33660d44e789edb4f303210c813fc56d56377a90"
},
{
"url": "https://git.kernel.org/stable/c/058a0da4f6d916a79b693384111bb80a90d73763"
},
{
"url": "https://git.kernel.org/stable/c/202900ceeef67458c964c2af6e1427c8e533ea7c"
},
{
"url": "https://git.kernel.org/stable/c/e09299225d5ba3916c91ef70565f7d2187e4cca0"
}
],
"title": "bpf: Reject narrower access to pointer ctx fields",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38591",
"datePublished": "2025-08-19T17:03:12.508Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2026-02-06T16:31:20.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23097 (GCVE-0-2026-23097)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
migrate: correct lock ordering for hugetlb file folios
Syzbot has found a deadlock (analyzed by Lance Yang):
1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.
migrate_pages()
-> migrate_hugetlbs()
-> unmap_and_move_huge_page() <- Takes folio_lock!
-> remove_migration_ptes()
-> __rmap_walk_file()
-> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!
hugetlbfs_fallocate()
-> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!
-> hugetlbfs_zero_partial_page()
-> filemap_lock_hugetlb_folio()
-> filemap_lock_folio()
-> __filemap_get_folio <- Waits for folio_lock!
The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c. So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.
This is (mostly) how it used to be after commit c0d0381ade79. That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 336bf30eb76580b579dc711ded5d599d905c0217 Version: 336bf30eb76580b579dc711ded5d599d905c0217 Version: 336bf30eb76580b579dc711ded5d599d905c0217 Version: 336bf30eb76580b579dc711ded5d599d905c0217 Version: 336bf30eb76580b579dc711ded5d599d905c0217 Version: 336bf30eb76580b579dc711ded5d599d905c0217 Version: 336bf30eb76580b579dc711ded5d599d905c0217 Version: ef792d6ce0db6a56e56743b1de1716a982c3b851 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7396d23f9d5739f56cf9ab430c3a169f5508394",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "ad97b9a55246eb940a26ac977f80892a395cabf9",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "5edb9854f8df5428b40990a1c7d60507da5bd330",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "526394af4e8ade89cacd1a9ce2b97712712fcc34",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b75070823b89009f5123fd0e05a8e0c3d39937c1",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "1b68efce6dd483d22f50d0d3800c4cfda14b1305",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b7880cb166ab62c2409046b2347261abf701530e",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"status": "affected",
"version": "ef792d6ce0db6a56e56743b1de1716a982c3b851",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -\u003e migrate_hugetlbs()\n -\u003e unmap_and_move_huge_page() \u003c- Takes folio_lock!\n -\u003e remove_migration_ptes()\n -\u003e __rmap_walk_file()\n -\u003e i_mmap_lock_read() \u003c- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -\u003e hugetlbfs_punch_hole() \u003c- Takes i_mmap_rwsem(write lock)!\n -\u003e hugetlbfs_zero_partial_page()\n -\u003e filemap_lock_hugetlb_folio()\n -\u003e filemap_lock_folio()\n -\u003e __filemap_get_folio \u003c- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file \u0026 anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:37.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394"
},
{
"url": "https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9"
},
{
"url": "https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330"
},
{
"url": "https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34"
},
{
"url": "https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1"
},
{
"url": "https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305"
},
{
"url": "https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e"
}
],
"title": "migrate: correct lock ordering for hugetlb file folios",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23097",
"datePublished": "2026-02-04T16:08:19.815Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-02-09T08:38:37.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40244 (GCVE-0-2025-40244)
Vulnerability from cvelistv5
Published
2025-12-04 15:31
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
The syzbot reported issue in __hfsplus_ext_cache_extent():
[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
[ 70.199771][ T9350] ksys_write+0x23e/0x490
[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.202054][ T9350]
[ 70.202279][ T9350] Uninit was created at:
[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
[ 70.207961][ T9350] ksys_write+0x23e/0x490
[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.210230][ T9350]
[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.212115][ T9350] =====================================================
[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.215999][ T9350] Call Trace:
[ 70.216309][ T9350] <TASK>
[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
[ 70.217025][ T9350] dump_stack+0x1e/0x30
[ 70.217421][ T9350] panic+0x502/0xca0
[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
kernel
:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
set ...
[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bfind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1ec90bed504640a42bb20a5f413be39cd17ad71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b8a72692aa42b7dcd179a96b90bc2763ac74576a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c135b8dca65526aa5b8814e9954e0ae317d9c598",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7e313039a8f3a6ee072dc5ff4643234d2d735cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5bfb13b4f406aef1a450f99d22d3e48df01528c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99202d94909d323a30d154ab0261c0a07166daec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "14c673a2f3ecf650b694a52a88688f1d71849899",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4840ceadef4290c56cc422f0fc697655f3cbf070",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bfind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()\n\nThe syzbot reported issue in __hfsplus_ext_cache_extent():\n\n[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0\n[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0\n[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0\n[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950\n[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130\n[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060\n[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460\n[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0\n[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0\n[ 70.199771][ T9350] ksys_write+0x23e/0x490\n[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0\n[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0\n[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0\n[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.202054][ T9350]\n[ 70.202279][ T9350] Uninit was created at:\n[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80\n[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0\n[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0\n[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0\n[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0\n[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950\n[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130\n[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060\n[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460\n[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0\n[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0\n[ 70.207961][ T9350] ksys_write+0x23e/0x490\n[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0\n[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0\n[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0\n[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.210230][ T9350]\n[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5\n[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.212115][ T9350] =====================================================\n[ 70.212734][ T9350] Disabling lock debugging due to kernel taint\n[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...\n[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5\n[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE\n[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.215999][ T9350] Call Trace:\n[ 70.216309][ T9350] \u003cTASK\u003e\n[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0\n[ 70.217025][ T9350] dump_stack+0x1e/0x30\n[ 70.217421][ T9350] panic+0x502/0xca0\n[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0\n\n[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...\n kernel\n:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0\nset ...\n[ 70.221254][ T9350] ? __msan_warning+0x96/0x120\n[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0\n[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0\n[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0\n[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950\n[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130\n[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060\n[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460\n[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0\n[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0\n[ 70.228997][ T9350] ? ksys_write+0x23e/0x490\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:14.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1ec90bed504640a42bb20a5f413be39cd17ad71"
},
{
"url": "https://git.kernel.org/stable/c/b8a72692aa42b7dcd179a96b90bc2763ac74576a"
},
{
"url": "https://git.kernel.org/stable/c/c135b8dca65526aa5b8814e9954e0ae317d9c598"
},
{
"url": "https://git.kernel.org/stable/c/d7e313039a8f3a6ee072dc5ff4643234d2d735cf"
},
{
"url": "https://git.kernel.org/stable/c/a5bfb13b4f406aef1a450f99d22d3e48df01528c"
},
{
"url": "https://git.kernel.org/stable/c/99202d94909d323a30d154ab0261c0a07166daec"
},
{
"url": "https://git.kernel.org/stable/c/14c673a2f3ecf650b694a52a88688f1d71849899"
},
{
"url": "https://git.kernel.org/stable/c/4840ceadef4290c56cc422f0fc697655f3cbf070"
}
],
"title": "hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40244",
"datePublished": "2025-12-04T15:31:33.249Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:14.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68302 (GCVE-0-2025-68302)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sxgbe: fix potential NULL dereference in sxgbe_rx()
Currently, when skb is null, the driver prints an error and then
dereferences skb on the next line.
To fix this, let's add a 'break' after the error message to switch
to sxgbe_rx_refill(), which is similar to the approach taken by the
other drivers in this particular case, e.g. calxeda with xgmac_rx().
Found during a code review.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac171c3c755499c9f87fe30b920602255f8b5648",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "18ef3ad1bb57dcf1a9ee61736039aedccf670b21",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "46e5332126596a2ca791140feab18ce1fc1a3c86",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "7fd789d6ea4915034eb6bcb72f6883c8151083e5",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "88f46c0be77bfe45830ac33102c75be7c34ac3f3",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "f5bce28f6b9125502abec4a67d68eabcd24b3b17",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sxgbe: fix potential NULL dereference in sxgbe_rx()\n\nCurrently, when skb is null, the driver prints an error and then\ndereferences skb on the next line.\n\nTo fix this, let\u0027s add a \u0027break\u0027 after the error message to switch\nto sxgbe_rx_refill(), which is similar to the approach taken by the\nother drivers in this particular case, e.g. calxeda with xgmac_rx().\n\nFound during a code review."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:20.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac171c3c755499c9f87fe30b920602255f8b5648"
},
{
"url": "https://git.kernel.org/stable/c/18ef3ad1bb57dcf1a9ee61736039aedccf670b21"
},
{
"url": "https://git.kernel.org/stable/c/46e5332126596a2ca791140feab18ce1fc1a3c86"
},
{
"url": "https://git.kernel.org/stable/c/7fd789d6ea4915034eb6bcb72f6883c8151083e5"
},
{
"url": "https://git.kernel.org/stable/c/45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc"
},
{
"url": "https://git.kernel.org/stable/c/88f46c0be77bfe45830ac33102c75be7c34ac3f3"
},
{
"url": "https://git.kernel.org/stable/c/f5bce28f6b9125502abec4a67d68eabcd24b3b17"
}
],
"title": "net: sxgbe: fix potential NULL dereference in sxgbe_rx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68302",
"datePublished": "2025-12-16T15:06:20.420Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:20.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23209 (GCVE-0-2026-23209)
Vulnerability from cvelistv5
Published
2026-02-14 16:27
Modified
2026-04-03 13:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix error recovery in macvlan_common_newlink()
valis provided a nice repro to crash the kernel:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
ping -c1 -I p1 1.2.3.4
He also gave a very detailed analysis:
<quote valis>
The issue is triggered when a new macvlan link is created with
MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
port and register_netdevice() called from macvlan_common_newlink()
fails (e.g. because of the invalid link name).
In this case macvlan_hash_add_source is called from
macvlan_change_sources() / macvlan_common_newlink():
This adds a reference to vlan to the port's vlan_source_hash using
macvlan_source_entry.
vlan is a pointer to the priv data of the link that is being created.
When register_netdevice() fails, the error is returned from
macvlan_newlink() to rtnl_newlink_create():
if (ops->newlink)
err = ops->newlink(dev, ¶ms, extack);
else
err = register_netdevice(dev);
if (err < 0) {
free_netdev(dev);
goto out;
}
and free_netdev() is called, causing a kvfree() on the struct
net_device that is still referenced in the source entry attached to
the lower device's macvlan port.
Now all packets sent on the macvlan port with a matching source mac
address will trigger a use-after-free in macvlan_forward_source().
</quote valis>
With all that, my fix is to make sure we call macvlan_flush_sources()
regardless of @create value whenever "goto destroy_macvlan_port;"
path is taken.
Many thanks to valis for following up on this issue.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 Version: aa5fd0fb77486b8a6764ead8627baa14790e4280 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "11ba9f0dc865136174cb98834280fb21bbc950c7",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "986967a162142710076782d5b93daab93a892980",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "f8db6475a83649689c087a8f52486fcc53e627e9",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix error recovery in macvlan_common_newlink()\n\nvalis provided a nice repro to crash the kernel:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\n\nip link add mv0 link p2 type macvlan mode source\nip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20\n\nping -c1 -I p1 1.2.3.4\n\nHe also gave a very detailed analysis:\n\n\u003cquote valis\u003e\n\nThe issue is triggered when a new macvlan link is created with\nMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or\nMACVLAN_MACADDR_SET) parameter, lower device already has a macvlan\nport and register_netdevice() called from macvlan_common_newlink()\nfails (e.g. because of the invalid link name).\n\nIn this case macvlan_hash_add_source is called from\nmacvlan_change_sources() / macvlan_common_newlink():\n\nThis adds a reference to vlan to the port\u0027s vlan_source_hash using\nmacvlan_source_entry.\n\nvlan is a pointer to the priv data of the link that is being created.\n\nWhen register_netdevice() fails, the error is returned from\nmacvlan_newlink() to rtnl_newlink_create():\n\n if (ops-\u003enewlink)\n err = ops-\u003enewlink(dev, \u0026params, extack);\n else\n err = register_netdevice(dev);\n if (err \u003c 0) {\n free_netdev(dev);\n goto out;\n }\n\nand free_netdev() is called, causing a kvfree() on the struct\nnet_device that is still referenced in the source entry attached to\nthe lower device\u0027s macvlan port.\n\nNow all packets sent on the macvlan port with a matching source mac\naddress will trigger a use-after-free in macvlan_forward_source().\n\n\u003c/quote valis\u003e\n\nWith all that, my fix is to make sure we call macvlan_flush_sources()\nregardless of @create value whenever \"goto destroy_macvlan_port;\"\npath is taken.\n\nMany thanks to valis for following up on this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:32:31.638Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da5c6b8ae47e414be47e5e04def15b25d5c962dc"
},
{
"url": "https://git.kernel.org/stable/c/5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a"
},
{
"url": "https://git.kernel.org/stable/c/c43d0e787cbba569ec9d11579ed370b50fab6c9c"
},
{
"url": "https://git.kernel.org/stable/c/11ba9f0dc865136174cb98834280fb21bbc950c7"
},
{
"url": "https://git.kernel.org/stable/c/986967a162142710076782d5b93daab93a892980"
},
{
"url": "https://git.kernel.org/stable/c/cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66"
},
{
"url": "https://git.kernel.org/stable/c/f8db6475a83649689c087a8f52486fcc53e627e9"
}
],
"title": "macvlan: fix error recovery in macvlan_common_newlink()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23209",
"datePublished": "2026-02-14T16:27:31.175Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-04-03T13:32:31.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71098 (GCVE-0-2025-71098)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: make ip6gre_header() robust
Over the years, syzbot found many ways to crash the kernel
in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 !
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17e7386234f740f3e7d5e58a47b5847ea34c3bc2",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "41a1a3140aff295dee8063906f70a514548105e8",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "adee129db814474f2f81207bd182bf343832a52e",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "1717357007db150c2d703f13f5695460e960f26c",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "5fe210533e3459197eabfdbf97327dacbdc04d60",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "91a2b25be07ce1a7549ceebbe82017551d2eec92",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "db5b4e39c4e63700c68a7e65fc4e1f1375273476",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: make ip6gre_header() robust\n\nOver the years, syzbot found many ways to crash the kernel\nin ip6gre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ip6gre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:213 !\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n neigh_output include/net/neighbour.h:556 [inline]\n ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136\n __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]\n ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:50.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2"
},
{
"url": "https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8"
},
{
"url": "https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e"
},
{
"url": "https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c"
},
{
"url": "https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60"
},
{
"url": "https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92"
},
{
"url": "https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476"
}
],
"title": "ip6_gre: make ip6gre_header() robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71098",
"datePublished": "2026-01-13T15:34:57.536Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-02-09T08:34:50.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68777 (GCVE-0-2025-68777)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
access when used as index in 'config_pins[wire_order[i]]'.
Since config_pins has 4 elements (indices 0-3), the valid range for
wire_order should be 0-3. Fix the off-by-one error by using >= instead
of > in the validation check.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 Version: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 Version: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 Version: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 Version: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 Version: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 Version: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/ti_am335x_tsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7ff2360431561b56f559d3a628d1f096048d178",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "136abe173a3cc2951d70c6e51fe7abdbadbb204b",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "08c0b561823a7026364efb38ed7f4a3af48ccfcd",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "bf95ec55805828c4f2b5241fb6b0c12388548570",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "84e4d3543168912549271b34261f5e0f94952d6e",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "40e3042de43ffa0017a8460ff9b4cad7b8c7cb96",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "248d3a73a0167dce15ba100477c3e778c4787178",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/ti_am335x_tsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ti_am335x_tsc - fix off-by-one error in wire_order validation\n\nThe current validation \u0027wire_order[i] \u003e ARRAY_SIZE(config_pins)\u0027 allows\nwire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds\naccess when used as index in \u0027config_pins[wire_order[i]]\u0027.\n\nSince config_pins has 4 elements (indices 0-3), the valid range for\nwire_order should be 0-3. Fix the off-by-one error by using \u003e= instead\nof \u003e in the validation check."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:23.140Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178"
},
{
"url": "https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b"
},
{
"url": "https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd"
},
{
"url": "https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570"
},
{
"url": "https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e"
},
{
"url": "https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96"
},
{
"url": "https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178"
}
],
"title": "Input: ti_am335x_tsc - fix off-by-one error in wire_order validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68777",
"datePublished": "2026-01-13T15:28:53.416Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:23.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40092 (GCVE-0-2025-40092)
Vulnerability from cvelistv5
Published
2025-10-30 09:47
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: Refactor bind path to use __free()
After an bind/unbind cycle, the ncm->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
Call trace:
usb_ep_free_request+0x2c/0xec
ncm_bind+0x39c/0x3dc
usb_add_function+0xcc/0x1f0
configfs_composite_bind+0x468/0x588
gadget_bind_driver+0x104/0x270
really_probe+0x190/0x374
__driver_probe_device+0xa0/0x12c
driver_probe_device+0x3c/0x218
__device_attach_driver+0x14c/0x188
bus_for_each_drv+0x10c/0x168
__device_attach+0xfc/0x198
device_initial_probe+0x14/0x24
bus_probe_device+0x94/0x11c
device_add+0x268/0x48c
usb_add_gadget+0x198/0x28c
dwc3_gadget_init+0x700/0x858
__dwc3_set_mode+0x3cc/0x664
process_scheduled_works+0x1d8/0x488
worker_thread+0x244/0x334
kthread+0x114/0x1bc
ret_from_fork+0x10/0x20
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9f6ce4240a2bf456402c15c06768059e5973f28c Version: 9f6ce4240a2bf456402c15c06768059e5973f28c Version: 9f6ce4240a2bf456402c15c06768059e5973f28c Version: 9f6ce4240a2bf456402c15c06768059e5973f28c Version: 9f6ce4240a2bf456402c15c06768059e5973f28c Version: 9f6ce4240a2bf456402c15c06768059e5973f28c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "185193a4714aa9c78437a7a1858fbe5771f0f45c",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "f37de8dec6a4c379b4b8486003a1de00ff8cff3b",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "d3fe7143928d8dfa2ec7bac9f906b48bc75b98ee",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "ed78f4d6079d872432b1ed54f155ef61965d3137",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
},
{
"lessThan": "75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef",
"status": "affected",
"version": "9f6ce4240a2bf456402c15c06768059e5973f28c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the ncm-\u003enotify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep-\u003eops-\u003efree_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nCall trace:\n usb_ep_free_request+0x2c/0xec\n ncm_bind+0x39c/0x3dc\n usb_add_function+0xcc/0x1f0\n configfs_composite_bind+0x468/0x588\n gadget_bind_driver+0x104/0x270\n really_probe+0x190/0x374\n __driver_probe_device+0xa0/0x12c\n driver_probe_device+0x3c/0x218\n __device_attach_driver+0x14c/0x188\n bus_for_each_drv+0x10c/0x168\n __device_attach+0xfc/0x198\n device_initial_probe+0x14/0x24\n bus_probe_device+0x94/0x11c\n device_add+0x268/0x48c\n usb_add_gadget+0x198/0x28c\n dwc3_gadget_init+0x700/0x858\n __dwc3_set_mode+0x3cc/0x664\n process_scheduled_works+0x1d8/0x488\n worker_thread+0x244/0x334\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:51.389Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/185193a4714aa9c78437a7a1858fbe5771f0f45c"
},
{
"url": "https://git.kernel.org/stable/c/f37de8dec6a4c379b4b8486003a1de00ff8cff3b"
},
{
"url": "https://git.kernel.org/stable/c/1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2"
},
{
"url": "https://git.kernel.org/stable/c/d3fe7143928d8dfa2ec7bac9f906b48bc75b98ee"
},
{
"url": "https://git.kernel.org/stable/c/ed78f4d6079d872432b1ed54f155ef61965d3137"
},
{
"url": "https://git.kernel.org/stable/c/75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef"
}
],
"title": "usb: gadget: f_ncm: Refactor bind path to use __free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40092",
"datePublished": "2025-10-30T09:47:59.910Z",
"dateReserved": "2025-04-16T07:20:57.163Z",
"dateUpdated": "2025-12-01T06:17:51.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68303 (GCVE-0-2025-68303)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: intel: punit_ipc: fix memory corruption
This passes the address of the pointer "&punit_ipcdev" when the intent
was to pass the pointer itself "punit_ipcdev" (without the ampersand).
This means that the:
complete(&ipcdev->cmd_complete);
in intel_punit_ioc() will write to a wrong memory address corrupting it.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/punit_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15d560cdf5b36c51fffec07ac2a983ab3bff4cb2",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "46e9d6f54184573dae1dcbcf6685a572ba6f4480",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "3e7442c5802146fd418ba3f68dcb9ca92b5cec83",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "a21615a4ac6fecbb586d59fe2206b63501021789",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "c2ee6d38996775a19bfdf20cb01a9b8698cb0baa",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "9b9c0adbc3f8a524d291baccc9d0c04097fb4869",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/punit_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel: punit_ipc: fix memory corruption\n\nThis passes the address of the pointer \"\u0026punit_ipcdev\" when the intent\nwas to pass the pointer itself \"punit_ipcdev\" (without the ampersand).\nThis means that the:\n\n\tcomplete(\u0026ipcdev-\u003ecmd_complete);\n\nin intel_punit_ioc() will write to a wrong memory address corrupting it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:21.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15d560cdf5b36c51fffec07ac2a983ab3bff4cb2"
},
{
"url": "https://git.kernel.org/stable/c/46e9d6f54184573dae1dcbcf6685a572ba6f4480"
},
{
"url": "https://git.kernel.org/stable/c/3e7442c5802146fd418ba3f68dcb9ca92b5cec83"
},
{
"url": "https://git.kernel.org/stable/c/a21615a4ac6fecbb586d59fe2206b63501021789"
},
{
"url": "https://git.kernel.org/stable/c/c2ee6d38996775a19bfdf20cb01a9b8698cb0baa"
},
{
"url": "https://git.kernel.org/stable/c/9b9c0adbc3f8a524d291baccc9d0c04097fb4869"
}
],
"title": "platform/x86: intel: punit_ipc: fix memory corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68303",
"datePublished": "2025-12-16T15:06:21.208Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:21.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68802 (GCVE-0-2025-68802)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Limit num_syncs to prevent oversized allocations
The exec and vm_bind ioctl allow userspace to specify an arbitrary
num_syncs value. Without bounds checking, a very large num_syncs
can force an excessively large allocation, leading to kernel warnings
from the page allocator as below.
Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request
exceeding this limit.
"
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124
...
Call Trace:
<TASK>
alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416
___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317
__kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
kmalloc_array_noprof include/linux/slab.h:948 [inline]
xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158
drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797
drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894
xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
"
v2: Add "Reported-by" and Cc stable kernels.
v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh)
v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt)
v5: Do the check at the top of the exec func. (Matt)
(cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_exec.c",
"drivers/gpu/drm/xe/xe_vm.c",
"include/uapi/drm/xe_drm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e281d1fd6903a081ef023c341145ae92258e38d2",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "1d200017f55f829b9e376093bd31dfbec92081de",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "8e461304009135270e9ccf2d7e2dfe29daec9b60",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_exec.c",
"drivers/gpu/drm/xe/xe_vm.c",
"include/uapi/drm/xe_drm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Limit num_syncs to prevent oversized allocations\n\nThe exec and vm_bind ioctl allow userspace to specify an arbitrary\nnum_syncs value. Without bounds checking, a very large num_syncs\ncan force an excessively large allocation, leading to kernel warnings\nfrom the page allocator as below.\n\nIntroduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request\nexceeding this limit.\n\n\"\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124\n...\nCall Trace:\n \u003cTASK\u003e\n alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416\n ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317\n __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348\n __do_kmalloc_node mm/slub.c:4364 [inline]\n __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388\n kmalloc_noprof include/linux/slab.h:909 [inline]\n kmalloc_array_noprof include/linux/slab.h:948 [inline]\n xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158\n drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797\n drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894\n xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\"\n\nv2: Add \"Reported-by\" and Cc stable kernels.\nv3: Change XE_MAX_SYNCS from 64 to 1024. (Matt \u0026 Ashutosh)\nv4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt)\nv5: Do the check at the top of the exec func. (Matt)\n\n(cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:50.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e281d1fd6903a081ef023c341145ae92258e38d2"
},
{
"url": "https://git.kernel.org/stable/c/1d200017f55f829b9e376093bd31dfbec92081de"
},
{
"url": "https://git.kernel.org/stable/c/8e461304009135270e9ccf2d7e2dfe29daec9b60"
}
],
"title": "drm/xe: Limit num_syncs to prevent oversized allocations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68802",
"datePublished": "2026-01-13T15:29:11.079Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:50.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68229 (GCVE-0-2025-68229)
Vulnerability from cvelistv5
Published
2025-12-16 13:57
Modified
2025-12-16 13:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
attempt to dereference it in tcm_loop_tpg_address_show() we will get a
segfault, see below for an example. So, check tl_hba->sh before
dereferencing it.
Unable to allocate struct scsi_host
BUG: kernel NULL pointer dereference, address: 0000000000000194
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024
RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]
...
Call Trace:
<TASK>
configfs_read_iter+0x12d/0x1d0 [configfs]
vfs_read+0x1b5/0x300
ksys_read+0x6f/0xf0
...
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2628b352c3d4905adf8129ea50900bd980b6ccef Version: 2628b352c3d4905adf8129ea50900bd980b6ccef Version: 2628b352c3d4905adf8129ea50900bd980b6ccef Version: 2628b352c3d4905adf8129ea50900bd980b6ccef Version: 2628b352c3d4905adf8129ea50900bd980b6ccef Version: 2628b352c3d4905adf8129ea50900bd980b6ccef Version: 2628b352c3d4905adf8129ea50900bd980b6ccef Version: 2628b352c3d4905adf8129ea50900bd980b6ccef |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63f511d3855f7f4b35dd63dbc58fc3d935a81268",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "3d8c517f6eb27e47b1a198e05f8023038329b40b",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "f449a1edd7a13bb025aaf9342ea6f8bf92684bbf",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "1c9ba455b5073253ceaadae4859546e38e8261fe",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "a6ef60898ddaf1414592ce3e5b0d94276d631663",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "72e8831079266749a7023618a0de2f289a9dced6",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "13aff3b8a7184281b134698704d6c06863a8361b",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "e6965188f84a7883e6a0d3448e86b0cf29b24dfc",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()\n\nIf the allocation of tl_hba-\u003esh fails in tcm_loop_driver_probe() and we\nattempt to dereference it in tcm_loop_tpg_address_show() we will get a\nsegfault, see below for an example. So, check tl_hba-\u003esh before\ndereferencing it.\n\n Unable to allocate struct scsi_host\n BUG: kernel NULL pointer dereference, address: 0000000000000194\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1\n Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024\n RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]\n...\n Call Trace:\n \u003cTASK\u003e\n configfs_read_iter+0x12d/0x1d0 [configfs]\n vfs_read+0x1b5/0x300\n ksys_read+0x6f/0xf0\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:21.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63f511d3855f7f4b35dd63dbc58fc3d935a81268"
},
{
"url": "https://git.kernel.org/stable/c/3d8c517f6eb27e47b1a198e05f8023038329b40b"
},
{
"url": "https://git.kernel.org/stable/c/f449a1edd7a13bb025aaf9342ea6f8bf92684bbf"
},
{
"url": "https://git.kernel.org/stable/c/1c9ba455b5073253ceaadae4859546e38e8261fe"
},
{
"url": "https://git.kernel.org/stable/c/a6ef60898ddaf1414592ce3e5b0d94276d631663"
},
{
"url": "https://git.kernel.org/stable/c/72e8831079266749a7023618a0de2f289a9dced6"
},
{
"url": "https://git.kernel.org/stable/c/13aff3b8a7184281b134698704d6c06863a8361b"
},
{
"url": "https://git.kernel.org/stable/c/e6965188f84a7883e6a0d3448e86b0cf29b24dfc"
}
],
"title": "scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68229",
"datePublished": "2025-12-16T13:57:21.835Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T13:57:21.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68380 (GCVE-0-2025-68380)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix peer HE MCS assignment
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to
firmware as receive MCS while peer's receive MCS sent as transmit MCS,
which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not
supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff
is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities
[...]
Supported HE-MCS and NSS Set
[...]
Rx and Tx MCS Maps 160 MHz
[...]
Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it
needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping
done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 61fe43e7216df6e9a912d831aafc7142fa20f280 Version: 61fe43e7216df6e9a912d831aafc7142fa20f280 Version: 61fe43e7216df6e9a912d831aafc7142fa20f280 Version: 61fe43e7216df6e9a912d831aafc7142fa20f280 Version: 61fe43e7216df6e9a912d831aafc7142fa20f280 Version: 61fe43e7216df6e9a912d831aafc7142fa20f280 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92791290e4f6a1de25d35af792ab8918a70737f6",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4304bd7a334e981f189b9973056a58f84cc2b482",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "097c870b91817779e5a312c6539099a884b1fe2b",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "381096a417b7019896e93e86f4c585c592bf98e2",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "6b1a0da75932353f66e710976ca85a7131f647ff",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4a013ca2d490c73c40588d62712ffaa432046a04",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix peer HE MCS assignment\n\nIn ath11k_wmi_send_peer_assoc_cmd(), peer\u0027s transmit MCS is sent to\nfirmware as receive MCS while peer\u0027s receive MCS sent as transmit MCS,\nwhich goes against firmwire\u0027s definition.\n\nWhile connecting to a misbehaved AP that advertises 0xffff (meaning not\nsupported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff\nis assigned to he_mcs-\u003erx_mcs_set field.\n\n\tExt Tag: HE Capabilities\n\t [...]\n\t Supported HE-MCS and NSS Set\n\t\t[...]\n\t Rx and Tx MCS Maps 160 MHz\n\t\t [...]\n\t Tx HE-MCS Map 160 MHz: 0xffff\n\nSwap the assignment to fix this issue.\n\nAs the HE rate control mask is meant to limit our own transmit MCS, it\nneeds to go via he_mcs-\u003erx_mcs_set field. With the aforementioned swapping\ndone, change is needed as well to apply it to the peer\u0027s receive MCS.\n\nTested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:18.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92791290e4f6a1de25d35af792ab8918a70737f6"
},
{
"url": "https://git.kernel.org/stable/c/4304bd7a334e981f189b9973056a58f84cc2b482"
},
{
"url": "https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b"
},
{
"url": "https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2"
},
{
"url": "https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff"
},
{
"url": "https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04"
}
],
"title": "wifi: ath11k: fix peer HE MCS assignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68380",
"datePublished": "2025-12-24T10:33:08.266Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-02-09T08:32:18.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68285 (GCVE-0-2025-68285)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2026-01-02 15:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix potential use-after-free in have_mon_and_osd_map()
The wait loop in __ceph_open_session() can race with the client
receiving a new monmap or osdmap shortly after the initial map is
received. Both ceph_monc_handle_map() and handle_one_map() install
a new map immediately after freeing the old one
kfree(monc->monmap);
monc->monmap = monmap;
ceph_osdmap_destroy(osdc->osdmap);
osdc->osdmap = newmap;
under client->monc.mutex and client->osdc.lock respectively, but
because neither is taken in have_mon_and_osd_map() it's possible for
client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in
client->monc.monmap && client->monc.monmap->epoch &&
client->osdc.osdmap && client->osdc.osdmap->epoch;
condition to dereference an already freed map. This happens to be
reproducible with generic/395 and generic/397 with KASAN enabled:
BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70
Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305
CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266
...
Call Trace:
<TASK>
have_mon_and_osd_map+0x56/0x70
ceph_open_session+0x182/0x290
ceph_get_tree+0x333/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Allocated by task 13305:
ceph_osdmap_alloc+0x16/0x130
ceph_osdc_init+0x27a/0x4c0
ceph_create_client+0x153/0x190
create_fs_client+0x50/0x2a0
ceph_get_tree+0xff/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 9475:
kfree+0x212/0x290
handle_one_map+0x23c/0x3b0
ceph_osdc_handle_map+0x3c9/0x590
mon_dispatch+0x655/0x6f0
ceph_con_process_message+0xc3/0xe0
ceph_con_v1_try_read+0x614/0x760
ceph_con_workfn+0x2de/0x650
process_one_work+0x486/0x7c0
process_scheduled_works+0x73/0x90
worker_thread+0x1c8/0x2a0
kthread+0x2ec/0x300
ret_from_fork+0x24/0x40
ret_from_fork_asm+0x1a/0x30
Rewrite the wait loop to check the above condition directly with
client->monc.mutex and client->osdc.lock taken as appropriate. While
at it, improve the timeout handling (previously mount_timeout could be
exceeded in case wait_event_interruptible_timeout() slept more than
once) and access client->auth_err under client->monc.mutex to match
how it's set in finish_auth().
monmap_show() and osdmap_show() now take the respective lock before
accessing the map as well.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 Version: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 Version: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 Version: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 Version: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 Version: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 Version: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/ceph_common.c",
"net/ceph/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb4910c5fd436701faf367e1b5476a5a6d2aff1c",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "05ec43e9a9de67132dc8cd3b22afef001574947f",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "7c8ccdc1714d9fabecd26e1be7db1771061acc6e",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "183ad6e3b651e8fb0b66d6a2678f4b80bfbba092",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "e08021b3b56b2407f37b5fe47b654be80cc665fb",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "3fc43120b22a3d4f1fbeff56a35ce2105b6a5683",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "076381c261374c587700b3accf410bdd2dba334e",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/ceph_common.c",
"net/ceph/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived. Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n kfree(monc-\u003emonmap);\n monc-\u003emonmap = monmap;\n\n ceph_osdmap_destroy(osdc-\u003eosdmap);\n osdc-\u003eosdmap = newmap;\n\nunder client-\u003emonc.mutex and client-\u003eosdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it\u0027s possible for\nclient-\u003emonc.monmap-\u003eepoch and client-\u003eosdc.osdmap-\u003eepoch arms in\n\n client-\u003emonc.monmap \u0026\u0026 client-\u003emonc.monmap-\u003eepoch \u0026\u0026\n client-\u003eosdc.osdmap \u0026\u0026 client-\u003eosdc.osdmap-\u003eepoch;\n\ncondition to dereference an already freed map. This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n ...\n Call Trace:\n \u003cTASK\u003e\n have_mon_and_osd_map+0x56/0x70\n ceph_open_session+0x182/0x290\n ceph_get_tree+0x333/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\n Allocated by task 13305:\n ceph_osdmap_alloc+0x16/0x130\n ceph_osdc_init+0x27a/0x4c0\n ceph_create_client+0x153/0x190\n create_fs_client+0x50/0x2a0\n ceph_get_tree+0xff/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Freed by task 9475:\n kfree+0x212/0x290\n handle_one_map+0x23c/0x3b0\n ceph_osdc_handle_map+0x3c9/0x590\n mon_dispatch+0x655/0x6f0\n ceph_con_process_message+0xc3/0xe0\n ceph_con_v1_try_read+0x614/0x760\n ceph_con_workfn+0x2de/0x650\n process_one_work+0x486/0x7c0\n process_scheduled_works+0x73/0x90\n worker_thread+0x1c8/0x2a0\n kthread+0x2ec/0x300\n ret_from_fork+0x24/0x40\n ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient-\u003emonc.mutex and client-\u003eosdc.lock taken as appropriate. While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client-\u003eauth_err under client-\u003emonc.mutex to match\nhow it\u0027s set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:50.454Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c"
},
{
"url": "https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f"
},
{
"url": "https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e"
},
{
"url": "https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092"
},
{
"url": "https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb"
},
{
"url": "https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683"
},
{
"url": "https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e"
}
],
"title": "libceph: fix potential use-after-free in have_mon_and_osd_map()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68285",
"datePublished": "2025-12-16T15:06:07.078Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-01-02T15:34:50.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38584 (GCVE-0-2025-38584)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-09-29 05:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
padata: Fix pd UAF once and for all
There is a race condition/UAF in padata_reorder that goes back
to the initial commit. A reference count is taken at the start
of the process in padata_do_parallel, and released at the end in
padata_serial_worker.
This reference count is (and only is) required for padata_replace
to function correctly. If padata_replace is never called then
there is no issue.
In the function padata_reorder which serves as the core of padata,
as soon as padata is added to queue->serial.list, and the associated
spin lock released, that padata may be processed and the reference
count on pd would go away.
Fix this by getting the next padata before the squeue->serial lock
is released.
In order to make this possible, simplify padata_reorder by only
calling it once the next padata arrives.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/padata.h",
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbe3e911a59bda6de96e7cae387ff882c2c177fa",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "cdf79bd2e1ecb3cc75631c73d8f4149be6019a52",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "71203f68c7749609d7fc8ae6ad054bdedeb24f91",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/padata.h",
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix pd UAF once and for all\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit. A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly. If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue-\u003eserial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue-\u003eserial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:15.987Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa"
},
{
"url": "https://git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52"
},
{
"url": "https://git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91"
}
],
"title": "padata: Fix pd UAF once and for all",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38584",
"datePublished": "2025-08-19T17:03:06.172Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-09-29T05:54:15.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-71133 (GCVE-0-2025-71133)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: avoid invalid read in irdma_net_event
irdma_net_event() should not dereference anything from "neigh" (alias
"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
Other events come with different structures pointed to by "ptr" and they
may be smaller than struct neighbour.
Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
The bug is mostly harmless, but it triggers KASAN on debug kernels:
BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
Hardware name: [...]
Workqueue: events rt6_probe_deferred
Call Trace:
<IRQ>
dump_stack_lvl+0x60/0xb0
print_address_description.constprop.0+0x2c/0x3f0
print_report+0xb4/0x270
kasan_report+0x92/0xc0
irdma_net_event+0x32e/0x3b0 [irdma]
notifier_call_chain+0x9e/0x180
atomic_notifier_call_chain+0x5c/0x110
rt6_do_redirect+0xb91/0x1080
tcp_v6_err+0xe9b/0x13e0
icmpv6_notify+0x2b2/0x630
ndisc_redirect_rcv+0x328/0x530
icmpv6_rcv+0xc16/0x1360
ip6_protocol_deliver_rcu+0xb84/0x12e0
ip6_input_finish+0x117/0x240
ip6_input+0xc4/0x370
ipv6_rcv+0x420/0x7d0
__netif_receive_skb_one_core+0x118/0x1b0
process_backlog+0xd1/0x5d0
__napi_poll.constprop.0+0xa3/0x440
net_rx_action+0x78a/0xba0
handle_softirqs+0x2d4/0x9c0
do_softirq+0xad/0xe0
</IRQ>
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 Version: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 Version: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 Version: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 Version: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 Version: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db93ae6fa66f1c61ae63400191195e3ee58021da",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "305c02e541befe4a44ffde30ed374970f41aeb6c",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "fc23d05f0b3fb4d80657e7afebae2cae686b31c8",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "bf197c7c79ef6458d1ee84dd7db251b51784885f",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "d9b9affd103f51b42322da4ed5ac025b560bc354",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "6f05611728e9d0ab024832a4f1abb74a5f5d0bb0",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: avoid invalid read in irdma_net_event\n\nirdma_net_event() should not dereference anything from \"neigh\" (alias\n\"ptr\") until it has checked that the event is NETEVENT_NEIGH_UPDATE.\nOther events come with different structures pointed to by \"ptr\" and they\nmay be smaller than struct neighbour.\n\nMove the read of neigh-\u003edev under the NETEVENT_NEIGH_UPDATE case.\n\nThe bug is mostly harmless, but it triggers KASAN on debug kernels:\n\n BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]\n Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554\n\n CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1\n Hardware name: [...]\n Workqueue: events rt6_probe_deferred\n Call Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x60/0xb0\n print_address_description.constprop.0+0x2c/0x3f0\n print_report+0xb4/0x270\n kasan_report+0x92/0xc0\n irdma_net_event+0x32e/0x3b0 [irdma]\n notifier_call_chain+0x9e/0x180\n atomic_notifier_call_chain+0x5c/0x110\n rt6_do_redirect+0xb91/0x1080\n tcp_v6_err+0xe9b/0x13e0\n icmpv6_notify+0x2b2/0x630\n ndisc_redirect_rcv+0x328/0x530\n icmpv6_rcv+0xc16/0x1360\n ip6_protocol_deliver_rcu+0xb84/0x12e0\n ip6_input_finish+0x117/0x240\n ip6_input+0xc4/0x370\n ipv6_rcv+0x420/0x7d0\n __netif_receive_skb_one_core+0x118/0x1b0\n process_backlog+0xd1/0x5d0\n __napi_poll.constprop.0+0xa3/0x440\n net_rx_action+0x78a/0xba0\n handle_softirqs+0x2d4/0x9c0\n do_softirq+0xad/0xe0\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:29.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da"
},
{
"url": "https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c"
},
{
"url": "https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8"
},
{
"url": "https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f"
},
{
"url": "https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354"
},
{
"url": "https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0"
}
],
"title": "RDMA/irdma: avoid invalid read in irdma_net_event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71133",
"datePublished": "2026-01-14T15:07:48.524Z",
"dateReserved": "2026-01-13T15:30:19.655Z",
"dateUpdated": "2026-02-09T08:35:29.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68346 (GCVE-0-2025-68346)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: dice: fix buffer overflow in detect_stream_formats()
The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.
Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 Version: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 Version: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 Version: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 Version: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 Version: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 Version: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 Version: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6280a5b00cad37d9a9a875849e5bf7ed2fe4950",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "3cf854cec0eb371da47ff5fe56eab189d7fa623a",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "932aa1e80b022419cf9710e970739b7a8794f27c",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "324f3e03e8a85931ce0880654e3c3eb38b0f0bba",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: dice: fix buffer overflow in detect_stream_formats()\n\nThe function detect_stream_formats() reads the stream_count value directly\nfrom a FireWire device without validating it. This can lead to\nout-of-bounds writes when a malicious device provides a stream_count value\ngreater than MAX_STREAMS.\n\nFix by applying the same validation to both TX and RX stream counts in\ndetect_stream_formats()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:35.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6280a5b00cad37d9a9a875849e5bf7ed2fe4950"
},
{
"url": "https://git.kernel.org/stable/c/3cf854cec0eb371da47ff5fe56eab189d7fa623a"
},
{
"url": "https://git.kernel.org/stable/c/4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4"
},
{
"url": "https://git.kernel.org/stable/c/dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0"
},
{
"url": "https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6"
},
{
"url": "https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c"
},
{
"url": "https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9"
},
{
"url": "https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba"
}
],
"title": "ALSA: dice: fix buffer overflow in detect_stream_formats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68346",
"datePublished": "2025-12-24T10:32:39.101Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-02-09T08:31:35.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22998 (GCVE-0-2026-22998)
Vulnerability from cvelistv5
Published
2026-01-25 14:36
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
added ttag bounds checking and data_offset
validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
whether the command's data structures (cmd->req.sg and cmd->iov) have
been properly initialized before processing H2C_DATA PDUs.
The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
without NULL checks. This can be triggered by sending H2C_DATA PDU
immediately after the ICREQ/ICRESP handshake, before
sending a CONNECT command or NVMe write command.
Attack vectors that trigger NULL pointer dereferences:
1. H2C_DATA PDU sent before CONNECT → both pointers NULL
2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
The fix validates both cmd->req.sg and cmd->iov before calling
nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f775f2621c2ac5cc3a0b3a64665dad4fb146e510 Version: 4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d Version: 2871aa407007f6f531fae181ad252486e022df42 Version: 24e05760186dc070d3db190ca61efdbce23afc88 Version: efa56305908ba20de2104f1b8508c6a7401833be Version: efa56305908ba20de2104f1b8508c6a7401833be Version: efa56305908ba20de2104f1b8508c6a7401833be Version: ee5e7632e981673f42a50ade25e71e612e543d9d Version: 70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "baabe43a0edefac8cd7b981ff87f967f6034dafe",
"status": "affected",
"version": "f775f2621c2ac5cc3a0b3a64665dad4fb146e510",
"versionType": "git"
},
{
"lessThan": "76abc83a9d25593c2b7613c549413079c14a4686",
"status": "affected",
"version": "4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d",
"versionType": "git"
},
{
"lessThan": "7d75570002929d20e40110d6b03e46202c9d1bc7",
"status": "affected",
"version": "2871aa407007f6f531fae181ad252486e022df42",
"versionType": "git"
},
{
"lessThan": "fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4",
"status": "affected",
"version": "24e05760186dc070d3db190ca61efdbce23afc88",
"versionType": "git"
},
{
"lessThan": "3def5243150716be86599c2a1767c29c68838b6d",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"lessThan": "374b095e265fa27465f34780e0eb162ff1bef913",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"lessThan": "32b63acd78f577b332d976aa06b56e70d054cbba",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"status": "affected",
"version": "ee5e7632e981673f42a50ade25e71e612e543d9d",
"versionType": "git"
},
{
"status": "affected",
"version": "70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.268",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command\u0027s data structures (cmd-\u003ereq.sg and cmd-\u003eiov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT \u2192 both pointers NULL\n2. H2C_DATA PDU for READ command \u2192 cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n3. H2C_DATA PDU for uninitialized command slot \u2192 both pointers NULL\n\nThe fix validates both cmd-\u003ereq.sg and cmd-\u003eiov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n- WRITE commands: both allocated"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:50.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe"
},
{
"url": "https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686"
},
{
"url": "https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7"
},
{
"url": "https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4"
},
{
"url": "https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d"
},
{
"url": "https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913"
},
{
"url": "https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba"
}
],
"title": "nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22998",
"datePublished": "2026-01-25T14:36:12.935Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:50.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23269 (GCVE-0-2026-23269)
Vulnerability from cvelistv5
Published
2026-03-18 17:54
Modified
2026-04-18 08:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: validate DFA start states are in bounds in unpack_pdb
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.
==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...
Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Version: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f43eea8ae0102ea198da211ef7f5ce83725ecf19",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "5487871b2b56c19d26936ed6fdc62652b30941df",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "07cf6320f40ea2ccfad63728cff34ecb309d03da",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "0baadb0eece2c4d939db10d3c323b4652ac79a58",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "3bb7db43e32190c973d4019037cedb7895920184",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "9063d7e2615f4a7ab321de6b520e23d370e58816",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa-\u003etables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:29.535Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f43eea8ae0102ea198da211ef7f5ce83725ecf19"
},
{
"url": "https://git.kernel.org/stable/c/5487871b2b56c19d26936ed6fdc62652b30941df"
},
{
"url": "https://git.kernel.org/stable/c/5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a"
},
{
"url": "https://git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da"
},
{
"url": "https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"
},
{
"url": "https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58"
},
{
"url": "https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184"
},
{
"url": "https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816"
},
{
"url": "https://www.qualys.com/2026/03/10/crack-armor.txt"
}
],
"title": "apparmor: validate DFA start states are in bounds in unpack_pdb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23269",
"datePublished": "2026-03-18T17:54:42.988Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-04-18T08:57:29.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71136 (GCVE-0-2025-71136)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
It's possible for cp_read() and hdmi_read() to return -EIO. Those
values are further used as indexes for accessing arrays.
Fix that by checking return values where it's needed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 Version: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 Version: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 Version: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 Version: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 Version: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 Version: a89bcd4c6c2023615a89001b5a11b0bb77eb9491 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/adv7842.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f81ee181cb036d046340c213091b69d9a8701a76",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "f913b9a2ccd6114b206b9e91dae5e3dc13a415a0",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "d6a22a4a96e4dfe6897cb3532d2b3016d87706f0",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "a73881ae085db5702d8b13e2fc9f78d51c723d3f",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "60dde0960e3ead8a9569f6c494d90d0232ac0983",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "b693d48a6ed0cd09171103ad418e4a693203d6e4",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
},
{
"lessThan": "8163419e3e05d71dcfa8fb49c8fdf8d76908fe51",
"status": "affected",
"version": "a89bcd4c6c2023615a89001b5a11b0bb77eb9491",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/adv7842.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()\n\nIt\u0027s possible for cp_read() and hdmi_read() to return -EIO. Those\nvalues are further used as indexes for accessing arrays.\n\nFix that by checking return values where it\u0027s needed.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:32.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f81ee181cb036d046340c213091b69d9a8701a76"
},
{
"url": "https://git.kernel.org/stable/c/f913b9a2ccd6114b206b9e91dae5e3dc13a415a0"
},
{
"url": "https://git.kernel.org/stable/c/d6a22a4a96e4dfe6897cb3532d2b3016d87706f0"
},
{
"url": "https://git.kernel.org/stable/c/a73881ae085db5702d8b13e2fc9f78d51c723d3f"
},
{
"url": "https://git.kernel.org/stable/c/60dde0960e3ead8a9569f6c494d90d0232ac0983"
},
{
"url": "https://git.kernel.org/stable/c/b693d48a6ed0cd09171103ad418e4a693203d6e4"
},
{
"url": "https://git.kernel.org/stable/c/8163419e3e05d71dcfa8fb49c8fdf8d76908fe51"
}
],
"title": "media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71136",
"datePublished": "2026-01-14T15:07:50.568Z",
"dateReserved": "2026-01-13T15:30:19.656Z",
"dateUpdated": "2026-02-09T08:35:32.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54207 (GCVE-0-2023-54207)
Vulnerability from cvelistv5
Published
2025-12-30 12:11
Modified
2026-02-06 16:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: uclogic: Correct devm device reference for hidinput input_dev name
Reference the HID device rather than the input device for the devm
allocation of the input_dev name. Referencing the input_dev would lead to a
use-after-free when the input_dev was unregistered and subsequently fires a
uevent that depends on the name. At the point of firing the uevent, the
name would be freed by devres management.
Use devm_kasprintf to simplify the logic for allocating memory and
formatting the input_dev name string.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cce2dbdf258e6b27b2b100f511531edabb77f427 Version: cce2dbdf258e6b27b2b100f511531edabb77f427 Version: cce2dbdf258e6b27b2b100f511531edabb77f427 Version: cce2dbdf258e6b27b2b100f511531edabb77f427 Version: cce2dbdf258e6b27b2b100f511531edabb77f427 Version: cce2dbdf258e6b27b2b100f511531edabb77f427 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-uclogic-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f78bb490b16ecb506d4904be4b00bf9aad6588f9",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
},
{
"lessThan": "51f49e3927ad545cec0c0afb86856ccacd9f085d",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
},
{
"lessThan": "f283805d984343b2f216e2f4c6c7af265b9542ae",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
},
{
"lessThan": "4c2707dfee5847dc0b5ecfbe512c29c93832fdc4",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
},
{
"lessThan": "58f0d1c0e494a88f301bf455da7df4366f179bbb",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
},
{
"lessThan": "dd613a4e45f8d35f49a63a2064e5308fa5619e29",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-uclogic-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Correct devm device reference for hidinput input_dev name\n\nReference the HID device rather than the input device for the devm\nallocation of the input_dev name. Referencing the input_dev would lead to a\nuse-after-free when the input_dev was unregistered and subsequently fires a\nuevent that depends on the name. At the point of firing the uevent, the\nname would be freed by devres management.\n\nUse devm_kasprintf to simplify the logic for allocating memory and\nformatting the input_dev name string."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:30:47.394Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f78bb490b16ecb506d4904be4b00bf9aad6588f9"
},
{
"url": "https://git.kernel.org/stable/c/51f49e3927ad545cec0c0afb86856ccacd9f085d"
},
{
"url": "https://git.kernel.org/stable/c/f283805d984343b2f216e2f4c6c7af265b9542ae"
},
{
"url": "https://git.kernel.org/stable/c/4c2707dfee5847dc0b5ecfbe512c29c93832fdc4"
},
{
"url": "https://git.kernel.org/stable/c/58f0d1c0e494a88f301bf455da7df4366f179bbb"
},
{
"url": "https://git.kernel.org/stable/c/dd613a4e45f8d35f49a63a2064e5308fa5619e29"
}
],
"title": "HID: uclogic: Correct devm device reference for hidinput input_dev name",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54207",
"datePublished": "2025-12-30T12:11:06.643Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2026-02-06T16:30:47.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71076 (GCVE-0-2025-71076)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/oa: Limit num_syncs to prevent oversized allocations
The OA open parameters did not validate num_syncs, allowing
userspace to pass arbitrarily large values, potentially
leading to excessive allocations.
Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS,
returning -EINVAL when the limit is violated.
v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh)
(cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_oa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b963636331fb4f3f598d80492e2fa834757198eb",
"status": "affected",
"version": "803d418b73387fda392ddd83eace757ac25cf15d",
"versionType": "git"
},
{
"lessThan": "338849090ee610ff6d11e5e90857d2c27a4121ab",
"status": "affected",
"version": "c8507a25cebd179db935dd266a33c51bef1b1e80",
"versionType": "git"
},
{
"lessThan": "f8dd66bfb4e184c71bd26418a00546ebe7f5c17a",
"status": "affected",
"version": "c8507a25cebd179db935dd266a33c51bef1b1e80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_oa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Limit num_syncs to prevent oversized allocations\n\nThe OA open parameters did not validate num_syncs, allowing\nuserspace to pass arbitrarily large values, potentially\nleading to excessive allocations.\n\nAdd check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS,\nreturning -EINVAL when the limit is violated.\n\nv2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh)\n\n(cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:27.154Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b963636331fb4f3f598d80492e2fa834757198eb"
},
{
"url": "https://git.kernel.org/stable/c/338849090ee610ff6d11e5e90857d2c27a4121ab"
},
{
"url": "https://git.kernel.org/stable/c/f8dd66bfb4e184c71bd26418a00546ebe7f5c17a"
}
],
"title": "drm/xe/oa: Limit num_syncs to prevent oversized allocations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71076",
"datePublished": "2026-01-13T15:31:28.759Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:27.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68793 (GCVE-0-2025-68793)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix a job->pasid access race in gpu recovery
Avoid a possible UAF in GPU recovery due to a race between
the sched timeout callback and the tdr work queue.
The gpu recovery function calls drm_sched_stop() and
later drm_sched_start(). drm_sched_start() restarts
the tdr queue which will eventually free the job. If
the tdr queue frees the job before time out callback
completes, the job will be freed and we'll get a UAF
when accessing the pasid. Cache it early to avoid the
UAF.
Example KASAN trace:
[ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]
[ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323
[ 493.074892]
[ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary)
[ 493.076493] Tainted: [E]=UNSIGNED_MODULE
[ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019
[ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]
[ 493.076512] Call Trace:
[ 493.076515] <TASK>
[ 493.076518] dump_stack_lvl+0x64/0x80
[ 493.076529] print_report+0xce/0x630
[ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0
[ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]
[ 493.077253] kasan_report+0xb8/0xf0
[ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]
[ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]
[ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu]
[ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu]
[ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu]
[ 493.080903] ? pick_task_fair+0x24e/0x330
[ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu]
[ 493.081702] ? _raw_spin_lock+0x75/0xc0
[ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10
[ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched]
[ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 493.081725] process_one_work+0x679/0xff0
[ 493.081732] worker_thread+0x6ce/0xfd0
[ 493.081736] ? __pfx_worker_thread+0x10/0x10
[ 493.081739] kthread+0x376/0x730
[ 493.081744] ? __pfx_kthread+0x10/0x10
[ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 493.081751] ? __pfx_kthread+0x10/0x10
[ 493.081755] ret_from_fork+0x247/0x330
[ 493.081761] ? __pfx_kthread+0x10/0x10
[ 493.081764] ret_from_fork_asm+0x1a/0x30
[ 493.081771] </TASK>
(cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dac58c012c47cadf337a35eb05d44498c43e5cd0",
"status": "affected",
"version": "a72002cb181f350734108228b24c5d10d358f95a",
"versionType": "git"
},
{
"lessThan": "77f73253015cbc7893fca1821ac3eae9eb4bc943",
"status": "affected",
"version": "a72002cb181f350734108228b24c5d10d358f95a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix a job-\u003epasid access race in gpu recovery\n\nAvoid a possible UAF in GPU recovery due to a race between\nthe sched timeout callback and the tdr work queue.\n\nThe gpu recovery function calls drm_sched_stop() and\nlater drm_sched_start(). drm_sched_start() restarts\nthe tdr queue which will eventually free the job. If\nthe tdr queue frees the job before time out callback\ncompletes, the job will be freed and we\u0027ll get a UAF\nwhen accessing the pasid. Cache it early to avoid the\nUAF.\n\nExample KASAN trace:\n[ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323\n[ 493.074892]\n[ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary)\n[ 493.076493] Tainted: [E]=UNSIGNED_MODULE\n[ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019\n[ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]\n[ 493.076512] Call Trace:\n[ 493.076515] \u003cTASK\u003e\n[ 493.076518] dump_stack_lvl+0x64/0x80\n[ 493.076529] print_report+0xce/0x630\n[ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0\n[ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.077253] kasan_report+0xb8/0xf0\n[ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu]\n[ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu]\n[ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu]\n[ 493.080903] ? pick_task_fair+0x24e/0x330\n[ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu]\n[ 493.081702] ? _raw_spin_lock+0x75/0xc0\n[ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10\n[ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched]\n[ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 493.081725] process_one_work+0x679/0xff0\n[ 493.081732] worker_thread+0x6ce/0xfd0\n[ 493.081736] ? __pfx_worker_thread+0x10/0x10\n[ 493.081739] kthread+0x376/0x730\n[ 493.081744] ? __pfx_kthread+0x10/0x10\n[ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 493.081751] ? __pfx_kthread+0x10/0x10\n[ 493.081755] ret_from_fork+0x247/0x330\n[ 493.081761] ? __pfx_kthread+0x10/0x10\n[ 493.081764] ret_from_fork_asm+0x1a/0x30\n[ 493.081771] \u003c/TASK\u003e\n\n(cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:40.802Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0"
},
{
"url": "https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943"
}
],
"title": "drm/amdgpu: fix a job-\u003epasid access race in gpu recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68793",
"datePublished": "2026-01-13T15:29:04.877Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-02-09T08:33:40.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71082 (GCVE-0-2025-71082)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: revert use of devm_kzalloc in btusb
This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
btusb.c file").
In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
ties the lifetime of all the btusb data to the binding of a driver to
one interface, INTF. In a driver that binds to other interfaces, ISOC
and DIAG, this is an accident waiting to happen.
The issue is revealed in btusb_disconnect(), where calling
usb_driver_release_interface(&btusb_driver, data->intf) will have devm
free the data that is also being used by the other interfaces of the
driver that may not be released yet.
To fix this, revert the use of devm and go back to freeing memory
explicitly.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 Version: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 Version: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 Version: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 Version: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 Version: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fff9206b0907252a41eb12b7c1407b9347df18b1",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "cca0e9206e3bcc63cd3e72193e60149165d493cc",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "c0ecb3e4451fe94f4315e6d09c4046dfbc42090b",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "1e54c19eaf84ba652c4e376571093e58e144b339",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "fdf7c640fb8a44a59b0671143d8c2f738bc48003",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "252714f1e8bdd542025b16321c790458014d6880",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: revert use of devm_kzalloc in btusb\n\nThis reverts commit 98921dbd00c4e (\"Bluetooth: Use devm_kzalloc in\nbtusb.c file\").\n\nIn btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This\nties the lifetime of all the btusb data to the binding of a driver to\none interface, INTF. In a driver that binds to other interfaces, ISOC\nand DIAG, this is an accident waiting to happen.\n\nThe issue is revealed in btusb_disconnect(), where calling\nusb_driver_release_interface(\u0026btusb_driver, data-\u003eintf) will have devm\nfree the data that is also being used by the other interfaces of the\ndriver that may not be released yet.\n\nTo fix this, revert the use of devm and go back to freeing memory\nexplicitly."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:33.532Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1"
},
{
"url": "https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc"
},
{
"url": "https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b"
},
{
"url": "https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339"
},
{
"url": "https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003"
},
{
"url": "https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880"
}
],
"title": "Bluetooth: btusb: revert use of devm_kzalloc in btusb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71082",
"datePublished": "2026-01-13T15:34:46.301Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:33.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22982 (GCVE-0-2026-22982)
Vulnerability from cvelistv5
Published
2026-01-23 15:24
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mscc: ocelot: Fix crash when adding interface under a lag
Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")
fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.
The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic
and is susceptible to the same crash.
This issue specifically affects the ocelot_vsc7514.c frontend, which leaves
unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as
it uses the DSA framework which registers all ports.
Fix this by checking if the port pointer is valid before accessing it.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 528d3f190c98c8f7d9581f68db4af021696727b2 Version: 528d3f190c98c8f7d9581f68db4af021696727b2 Version: 528d3f190c98c8f7d9581f68db4af021696727b2 Version: 528d3f190c98c8f7d9581f68db4af021696727b2 Version: 528d3f190c98c8f7d9581f68db4af021696727b2 Version: 528d3f190c98c8f7d9581f68db4af021696727b2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mscc/ocelot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "b17818307446c5a8d925a39a792261dbfa930041",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "2985712dc76dfa670eb7fd607c09d4d48e5f5c6e",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "03fb1708b7d1e76aecebf767ad059c319845039f",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "f490af47bbee02441e356a1e0b86e3b3dd5120ff",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mscc/ocelot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix crash when adding interface under a lag\n\nCommit 15faa1f67ab4 (\"lan966x: Fix crash when adding interface under a lag\")\nfixed a similar issue in the lan966x driver caused by a NULL pointer dereference.\nThe ocelot_set_aggr_pgids() function in the ocelot driver has similar logic\nand is susceptible to the same crash.\n\nThis issue specifically affects the ocelot_vsc7514.c frontend, which leaves\nunused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as\nit uses the DSA framework which registers all ports.\n\nFix this by checking if the port pointer is valid before accessing it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:32.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d"
},
{
"url": "https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041"
},
{
"url": "https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e"
},
{
"url": "https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f"
},
{
"url": "https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff"
},
{
"url": "https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95"
}
],
"title": "net: mscc: ocelot: Fix crash when adding interface under a lag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22982",
"datePublished": "2026-01-23T15:24:04.556Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:32.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-49968 (GCVE-0-2024-49968)
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: filesystems without casefold feature cannot be mounted with siphash
When mounting the ext4 filesystem, if the default hash version is set to
DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:34:11.259486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:46.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86b81d4eab1cd4c56f7447896232cf33472c2395",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
},
{
"lessThan": "11bd1c279bac701ba91119875796ffff3b98250e",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
},
{
"lessThan": "52c4538a92da6f3242d4140c03ddc5ee71b39ba8",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
},
{
"lessThan": "e1373903db6c4ac994de0d18076280ad88e12dee",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
},
{
"lessThan": "985b67cd86392310d9e9326de941c22fc9340eec",
"status": "affected",
"version": "471fbbea7ff7061b2d6474665cb5a2ceb4fd6500",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: filesystems without casefold feature cannot be mounted with siphash\n\nWhen mounting the ext4 filesystem, if the default hash version is set to\nDX_HASH_SIPHASH but the casefold feature is not set, exit the mounting."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:51.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86b81d4eab1cd4c56f7447896232cf33472c2395"
},
{
"url": "https://git.kernel.org/stable/c/11bd1c279bac701ba91119875796ffff3b98250e"
},
{
"url": "https://git.kernel.org/stable/c/52c4538a92da6f3242d4140c03ddc5ee71b39ba8"
},
{
"url": "https://git.kernel.org/stable/c/e1373903db6c4ac994de0d18076280ad88e12dee"
},
{
"url": "https://git.kernel.org/stable/c/985b67cd86392310d9e9326de941c22fc9340eec"
}
],
"title": "ext4: filesystems without casefold feature cannot be mounted with siphash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49968",
"datePublished": "2024-10-21T18:02:18.369Z",
"dateReserved": "2024-10-21T12:17:06.051Z",
"dateUpdated": "2026-01-19T12:17:51.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23146 (GCVE-0-2026-23146)
Vulnerability from cvelistv5
Published
2026-02-14 16:01
Modified
2026-02-14 16:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
hci_uart_register_dev(), which calls proto->open() to initialize
hu->priv. However, if a TTY write wakeup occurs during this window,
hci_uart_tx_wakeup() may schedule write_work before hu->priv is
initialized, leading to a NULL pointer dereference in
hci_uart_write_work() when proto->dequeue() accesses hu->priv.
The race condition is:
CPU0 CPU1
---- ----
hci_uart_set_proto()
set_bit(HCI_UART_PROTO_INIT)
hci_uart_register_dev()
tty write wakeup
hci_uart_tty_wakeup()
hci_uart_tx_wakeup()
schedule_work(&hu->write_work)
proto->open(hu)
// initializes hu->priv
hci_uart_write_work()
hci_uart_dequeue()
proto->dequeue(hu)
// accesses hu->priv (NULL!)
Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
succeeds, ensuring hu->priv is initialized before any work can be
scheduled.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a40f94f7caa8d3421b64f63ac31bc0f24c890f39 Version: 9e5a0f5777162e503400c70c6ed25fbbe2d38799 Version: 80f14e9de6a43a0bd8194cad1003a3e6dcbc3984 Version: 02e1bcdfdf769974e7e9fa285e295cd9852e2a38 Version: 281782d2c6730241e300d630bb9f200d831ede71 Version: 5df5dafc171b90d0b8d51547a82657cd5a1986c7 Version: 5df5dafc171b90d0b8d51547a82657cd5a1986c7 Version: 1dcf08fcff5ca529de6dc0395091f28854f4e54a Version: 8e5aff600539e5faea294d9612cca50220e602b8 Version: db7509fa110dd9b11134b75894677f30353b2c51 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0a900939e7e4866d9b90e9112514b72c451e873",
"status": "affected",
"version": "a40f94f7caa8d3421b64f63ac31bc0f24c890f39",
"versionType": "git"
},
{
"lessThan": "ccc683f597ceb28deb966427ae948e5ac739a909",
"status": "affected",
"version": "9e5a0f5777162e503400c70c6ed25fbbe2d38799",
"versionType": "git"
},
{
"lessThan": "937a573423ce5a96fdb1fd425dc6b8d8d4ab5779",
"status": "affected",
"version": "80f14e9de6a43a0bd8194cad1003a3e6dcbc3984",
"versionType": "git"
},
{
"lessThan": "186d147cf7689ba1f9b3ddb753ab634a84940cc9",
"status": "affected",
"version": "02e1bcdfdf769974e7e9fa285e295cd9852e2a38",
"versionType": "git"
},
{
"lessThan": "53e54cb31e667fca05b1808b990eac0807d1dab0",
"status": "affected",
"version": "281782d2c6730241e300d630bb9f200d831ede71",
"versionType": "git"
},
{
"lessThan": "03e8c90c62233382042b7bd0fa8b8900552fdb62",
"status": "affected",
"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7",
"versionType": "git"
},
{
"lessThan": "0c3cd7a0b862c37acbee6d9502107146cc944398",
"status": "affected",
"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7",
"versionType": "git"
},
{
"status": "affected",
"version": "1dcf08fcff5ca529de6dc0395091f28854f4e54a",
"versionType": "git"
},
{
"status": "affected",
"version": "8e5aff600539e5faea294d9612cca50220e602b8",
"versionType": "git"
},
{
"status": "affected",
"version": "db7509fa110dd9b11134b75894677f30353b2c51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work\n\nhci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling\nhci_uart_register_dev(), which calls proto-\u003eopen() to initialize\nhu-\u003epriv. However, if a TTY write wakeup occurs during this window,\nhci_uart_tx_wakeup() may schedule write_work before hu-\u003epriv is\ninitialized, leading to a NULL pointer dereference in\nhci_uart_write_work() when proto-\u003edequeue() accesses hu-\u003epriv.\n\nThe race condition is:\n\n CPU0 CPU1\n ---- ----\n hci_uart_set_proto()\n set_bit(HCI_UART_PROTO_INIT)\n hci_uart_register_dev()\n tty write wakeup\n hci_uart_tty_wakeup()\n hci_uart_tx_wakeup()\n schedule_work(\u0026hu-\u003ewrite_work)\n proto-\u003eopen(hu)\n // initializes hu-\u003epriv\n hci_uart_write_work()\n hci_uart_dequeue()\n proto-\u003edequeue(hu)\n // accesses hu-\u003epriv (NULL!)\n\nFix this by moving set_bit(HCI_UART_PROTO_INIT) after proto-\u003eopen()\nsucceeds, ensuring hu-\u003epriv is initialized before any work can be\nscheduled."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:16.169Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873"
},
{
"url": "https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909"
},
{
"url": "https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779"
},
{
"url": "https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9"
},
{
"url": "https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0"
},
{
"url": "https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62"
},
{
"url": "https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398"
}
],
"title": "Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23146",
"datePublished": "2026-02-14T16:01:16.169Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-02-14T16:01:16.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40134 (GCVE-0-2025-40134)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix NULL pointer dereference in __dm_suspend()
There is a race condition between dm device suspend and table load that
can lead to null pointer dereference. The issue occurs when suspend is
invoked before table load completes:
BUG: kernel NULL pointer dereference, address: 0000000000000054
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50
Call Trace:
<TASK>
blk_mq_quiesce_queue+0x2c/0x50
dm_stop_queue+0xd/0x20
__dm_suspend+0x130/0x330
dm_suspend+0x11a/0x180
dev_suspend+0x27e/0x560
ctl_ioctl+0x4cf/0x850
dm_ctl_ioctl+0xd/0x20
vfs_ioctl+0x1d/0x50
__se_sys_ioctl+0x9b/0xc0
__x64_sys_ioctl+0x19/0x30
x64_sys_call+0x2c4a/0x4620
do_syscall_64+0x9e/0x1b0
The issue can be triggered as below:
T1 T2
dm_suspend table_load
__dm_suspend dm_setup_md_queue
dm_mq_init_request_queue
blk_mq_init_allocated_queue
=> q->mq_ops = set->ops; (1)
dm_stop_queue / dm_wait_for_completion
=> q->tag_set NULL pointer! (2)
=> q->tag_set = set; (3)
Fix this by checking if a valid table (map) exists before performing
request-based suspend and waiting for target I/O. When map is NULL,
skip these table-dependent suspend steps.
Even when map is NULL, no I/O can reach any target because there is
no table loaded; I/O submitted in this state will fail early in the
DM layer. Skipping the table-dependent suspend logic in this case
is safe and avoids NULL pointer dereferences.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c4576aed8d85d808cd6443bda58393d525207d01 Version: c4576aed8d85d808cd6443bda58393d525207d01 Version: c4576aed8d85d808cd6443bda58393d525207d01 Version: c4576aed8d85d808cd6443bda58393d525207d01 Version: c4576aed8d85d808cd6443bda58393d525207d01 Version: c4576aed8d85d808cd6443bda58393d525207d01 Version: c4576aed8d85d808cd6443bda58393d525207d01 Version: c4576aed8d85d808cd6443bda58393d525207d01 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "30f95b7eda5966b81cb221bd569c0f095a068cf6",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "a802901b75e13cc306f1b7ab0f062135c8034e9e",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "19ca4528666990be376ac3eb6fe667b03db5324d",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "331c2dd8ca8bad1a3ac10cce847ffb76158eece4",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "8d33a030c566e1f105cd5bf27f37940b6367f3be",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix NULL pointer dereference in __dm_suspend()\n\nThere is a race condition between dm device suspend and table load that\ncan lead to null pointer dereference. The issue occurs when suspend is\ninvoked before table load completes:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000054\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nRIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50\nCall Trace:\n \u003cTASK\u003e\n blk_mq_quiesce_queue+0x2c/0x50\n dm_stop_queue+0xd/0x20\n __dm_suspend+0x130/0x330\n dm_suspend+0x11a/0x180\n dev_suspend+0x27e/0x560\n ctl_ioctl+0x4cf/0x850\n dm_ctl_ioctl+0xd/0x20\n vfs_ioctl+0x1d/0x50\n __se_sys_ioctl+0x9b/0xc0\n __x64_sys_ioctl+0x19/0x30\n x64_sys_call+0x2c4a/0x4620\n do_syscall_64+0x9e/0x1b0\n\nThe issue can be triggered as below:\n\nT1 \t\t\t\t\t\tT2\ndm_suspend\t\t\t\t\ttable_load\n__dm_suspend\t\t\t\t\tdm_setup_md_queue\n\t\t\t\t\t\tdm_mq_init_request_queue\n\t\t\t\t\t\tblk_mq_init_allocated_queue\n\t\t\t\t\t\t=\u003e q-\u003emq_ops = set-\u003eops; (1)\ndm_stop_queue / dm_wait_for_completion\n=\u003e q-\u003etag_set NULL pointer!\t(2)\n\t\t\t\t\t\t=\u003e q-\u003etag_set = set; (3)\n\nFix this by checking if a valid table (map) exists before performing\nrequest-based suspend and waiting for target I/O. When map is NULL,\nskip these table-dependent suspend steps.\n\nEven when map is NULL, no I/O can reach any target because there is\nno table loaded; I/O submitted in this state will fail early in the\nDM layer. Skipping the table-dependent suspend logic in this case\nis safe and avoids NULL pointer dereferences."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:40.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98"
},
{
"url": "https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6"
},
{
"url": "https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c"
},
{
"url": "https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e"
},
{
"url": "https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe"
},
{
"url": "https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d"
},
{
"url": "https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4"
},
{
"url": "https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be"
}
],
"title": "dm: fix NULL pointer dereference in __dm_suspend()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40134",
"datePublished": "2025-11-12T10:23:22.771Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2025-12-01T06:18:40.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71089 (GCVE-0-2025-71089)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-04-02 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu: disable SVA when CONFIG_X86 is set
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 Version: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b34289505180a83607fcfdce14b5a290d0528476",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "7cad37e358970af1bb49030ff01f06a69fa7d985",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "240cd7f2812cc25496b12063d11c823618f364e9",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c2c3f1a3fd74ef16cf115f0c558616a13a8471b4",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c341dee80b5df49a936182341b36395c831c2661",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "72f98ef9a4be30d2a60136dd6faee376f780d06c",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel\npage table entries. When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries. This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU\u0027s page tables. The x86 architecture maps the\nkernel\u0027s virtual address space into the upper portion of every process\u0027s\npage table. Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings. This can cause the IOMMU\u0027s internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated. The IOMMU could\nmisinterpret the new data as valid page table entries. The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation. This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings. However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out. This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T08:39:37.445Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476"
},
{
"url": "https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985"
},
{
"url": "https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9"
},
{
"url": "https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4"
},
{
"url": "https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661"
},
{
"url": "https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c"
}
],
"title": "iommu: disable SVA when CONFIG_X86 is set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71089",
"datePublished": "2026-01-13T15:34:51.079Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-04-02T08:39:37.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39907 (GCVE-0-2025-39907)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
Avoid below overlapping mappings by using a contiguous
non-cacheable buffer.
[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,
overlapping mappings aren't supported
[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300
[ 4.097071] Modules linked in:
[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1
[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)
[ 4.118824] Workqueue: events_unbound deferred_probe_work_func
[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.131624] pc : add_dma_entry+0x23c/0x300
[ 4.135658] lr : add_dma_entry+0x23c/0x300
[ 4.139792] sp : ffff800009dbb490
[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000
[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8
[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20
[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006
[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e
[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec
[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58
[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000
[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40
[ 4.214185] Call trace:
[ 4.216605] add_dma_entry+0x23c/0x300
[ 4.220338] debug_dma_map_sg+0x198/0x350
[ 4.224373] __dma_map_sg_attrs+0xa0/0x110
[ 4.228411] dma_map_sg_attrs+0x10/0x2c
[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc
[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174
[ 4.242127] nand_read_oob+0x1d4/0x8e0
[ 4.245861] mtd_read_oob_std+0x58/0x84
[ 4.249596] mtd_read_oob+0x90/0x150
[ 4.253231] mtd_read+0x68/0xac
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:34.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/stm32_fmc2_nand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc1c6e60993b93b87604eb11266ac72e1a3be9e0",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "dfe2ac47a6ee0ab50393694517c54ef1e276dda3",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "e32a2ea52b51368774d014e5bcd9b86110a2b727",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "75686c49574dd5f171ca682c18717787f1d8d55e",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "06d8ef8f853752fea88c8d5bb093a40e71b330cf",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "26adba1e7d7924174e15a3ba4b1132990786300b",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "f6fd98d961fa6f97347cead4f08ed862cbbb91ff",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "513c40e59d5a414ab763a9c84797534b5e8c208d",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/stm32_fmc2_nand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer\n\nAvoid below overlapping mappings by using a contiguous\nnon-cacheable buffer.\n\n[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,\noverlapping mappings aren\u0027t supported\n[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300\n[ 4.097071] Modules linked in:\n[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1\n[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)\n[ 4.118824] Workqueue: events_unbound deferred_probe_work_func\n[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 4.131624] pc : add_dma_entry+0x23c/0x300\n[ 4.135658] lr : add_dma_entry+0x23c/0x300\n[ 4.139792] sp : ffff800009dbb490\n[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000\n[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8\n[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20\n[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006\n[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e\n[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec\n[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58\n[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000\n[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40\n[ 4.214185] Call trace:\n[ 4.216605] add_dma_entry+0x23c/0x300\n[ 4.220338] debug_dma_map_sg+0x198/0x350\n[ 4.224373] __dma_map_sg_attrs+0xa0/0x110\n[ 4.228411] dma_map_sg_attrs+0x10/0x2c\n[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc\n[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174\n[ 4.242127] nand_read_oob+0x1d4/0x8e0\n[ 4.245861] mtd_read_oob_std+0x58/0x84\n[ 4.249596] mtd_read_oob+0x90/0x150\n[ 4.253231] mtd_read+0x68/0xac"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:38.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc1c6e60993b93b87604eb11266ac72e1a3be9e0"
},
{
"url": "https://git.kernel.org/stable/c/dfe2ac47a6ee0ab50393694517c54ef1e276dda3"
},
{
"url": "https://git.kernel.org/stable/c/e32a2ea52b51368774d014e5bcd9b86110a2b727"
},
{
"url": "https://git.kernel.org/stable/c/75686c49574dd5f171ca682c18717787f1d8d55e"
},
{
"url": "https://git.kernel.org/stable/c/06d8ef8f853752fea88c8d5bb093a40e71b330cf"
},
{
"url": "https://git.kernel.org/stable/c/26adba1e7d7924174e15a3ba4b1132990786300b"
},
{
"url": "https://git.kernel.org/stable/c/f6fd98d961fa6f97347cead4f08ed862cbbb91ff"
},
{
"url": "https://git.kernel.org/stable/c/513c40e59d5a414ab763a9c84797534b5e8c208d"
}
],
"title": "mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39907",
"datePublished": "2025-10-01T07:44:30.864Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:34.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23095 (GCVE-0-2026-23095)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-04-03 13:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gue: Fix skb memleak with inner IP protocol 0.
syzbot reported skb memleak below. [0]
The repro generated a GUE packet with its inner protocol 0.
gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
in ip_protocol_deliver_rcu(), but this only works with
non-zero protocol number.
Let's drop such packets.
Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
I think it is not practical to encap HOPOPT in GUE, so once
someone starts to complain, we could pass down a resubmit
flag pointer to distinguish two zeros from the upper layer:
* no error
* resubmit HOPOPT
[0]
BUG: memory leak
unreferenced object 0xffff888109695a00 (size 240):
comm "syz.0.17", pid 6088, jiffies 4294943096
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
backtrace (crc a84b336f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
__build_skb+0x23/0x60 net/core/skbuff.c:474
build_skb+0x20/0x190 net/core/skbuff.c:490
__tun_build_skb drivers/net/tun.c:1541 [inline]
tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0xa7/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 37dd0247797b168ad1cc7f5dbec825a1ee66535b Version: 37dd0247797b168ad1cc7f5dbec825a1ee66535b Version: 37dd0247797b168ad1cc7f5dbec825a1ee66535b Version: 37dd0247797b168ad1cc7f5dbec825a1ee66535b Version: 37dd0247797b168ad1cc7f5dbec825a1ee66535b Version: 37dd0247797b168ad1cc7f5dbec825a1ee66535b Version: 37dd0247797b168ad1cc7f5dbec825a1ee66535b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fou_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "886f186328b718400dbf79e1bc8cbcbd710ab766",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "380a82d36e37db49fd41ecc378c22fd29392e96a",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "536f5bbc322eb1e175bdd1ced22b236a951c4d8f",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "f87b9b7a618c82e7465e872eb10e14c803871892",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "ce569b389a5c78d64788a5ea94560e17fa574b35",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "5437a279804ced8088cabb945dba88a26d828f8c",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "9a56796ad258786d3624eef5aefba394fc9bdded",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fou_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngue: Fix skb memleak with inner IP protocol 0.\n\nsyzbot reported skb memleak below. [0]\n\nThe repro generated a GUE packet with its inner protocol 0.\n\ngue_udp_recv() returns -guehdr-\u003eproto_ctype for \"resubmit\"\nin ip_protocol_deliver_rcu(), but this only works with\nnon-zero protocol number.\n\nLet\u0027s drop such packets.\n\nNote that 0 is a valid number (IPv6 Hop-by-Hop Option).\n\nI think it is not practical to encap HOPOPT in GUE, so once\nsomeone starts to complain, we could pass down a resubmit\nflag pointer to distinguish two zeros from the upper layer:\n\n * no error\n * resubmit HOPOPT\n\n[0]\nBUG: memory leak\nunreferenced object 0xffff888109695a00 (size 240):\n comm \"syz.0.17\", pid 6088, jiffies 4294943096\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace (crc a84b336f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270\n __build_skb+0x23/0x60 net/core/skbuff.c:474\n build_skb+0x20/0x190 net/core/skbuff.c:490\n __tun_build_skb drivers/net/tun.c:1541 [inline]\n tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636\n tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770\n tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0xa7/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:31:54.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766"
},
{
"url": "https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a"
},
{
"url": "https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f"
},
{
"url": "https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892"
},
{
"url": "https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35"
},
{
"url": "https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c"
},
{
"url": "https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded"
}
],
"title": "gue: Fix skb memleak with inner IP protocol 0.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23095",
"datePublished": "2026-02-04T16:08:17.990Z",
"dateReserved": "2026-01-13T15:37:45.963Z",
"dateUpdated": "2026-04-03T13:31:54.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57795 (GCVE-0-2024-57795)
Vulnerability from cvelistv5
Published
2025-01-15 13:10
Modified
2026-01-11 16:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Remove the direct link to net_device
The similar patch in siw is in the link:
https://git.kernel.org/rdma/rdma/c/16b87037b48889
This problem also occurred in RXE. The following analyze this problem.
In the following Call Traces:
"
BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295
CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted
6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0
Hardware name: Google Compute Engine/Google Compute Engine,
BIOS Google 09/13/2024
Workqueue: infiniband ib_cache_event_task
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60
__ib_query_port drivers/infiniband/core/device.c:2111 [inline]
ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143
ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494
ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
"
1). In the link [1],
"
infiniband syz2: set down
"
This means that on 839.350575, the event ib_cache_event_task was sent andi
queued in ib_wq.
2). In the link [1],
"
team0 (unregistering): Port device team_slave_0 removed
"
It indicates that before 843.251853, the net device should be freed.
3). In the link [1],
"
BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0
"
This means that on 850.559070, this slab-use-after-free problem occurred.
In all, on 839.350575, the event ib_cache_event_task was sent and queued
in ib_wq,
before 843.251853, the net device veth was freed.
on 850.559070, this event was executed, and the mentioned freed net device
was called. Thus, the above call trace occurred.
[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57795",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T13:56:40.628550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T14:04:27.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe.c",
"drivers/infiniband/sw/rxe/rxe.h",
"drivers/infiniband/sw/rxe/rxe_mcast.c",
"drivers/infiniband/sw/rxe/rxe_net.c",
"drivers/infiniband/sw/rxe/rxe_verbs.c",
"drivers/infiniband/sw/rxe/rxe_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32ca3557d968e662957131374a5f81c9c9cdbba8",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "9f6f54e6a6863131442b40e14d1792b090c7ce21",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "2ac5415022d16d63d912a39a06f32f1f51140261",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe.c",
"drivers/infiniband/sw/rxe/rxe.h",
"drivers/infiniband/sw/rxe/rxe_mcast.c",
"drivers/infiniband/sw/rxe/rxe_net.c",
"drivers/infiniband/sw/rxe/rxe_verbs.c",
"drivers/infiniband/sw/rxe/rxe_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.9",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\"\n\n1). In the link [1],\n\n\"\n infiniband syz2: set down\n\"\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\"\n team0 (unregistering): Port device team_slave_0 removed\n\"\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\"\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:08.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32ca3557d968e662957131374a5f81c9c9cdbba8"
},
{
"url": "https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21"
},
{
"url": "https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261"
}
],
"title": "RDMA/rxe: Remove the direct link to net_device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57795",
"datePublished": "2025-01-15T13:10:23.880Z",
"dateReserved": "2025-01-15T13:08:59.657Z",
"dateUpdated": "2026-01-11T16:29:08.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71116 (GCVE-0-2025-71116)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make decode_pool() more resilient against corrupted osdmaps
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.
This patch adds explicit bounds checks for each field that is decoded
or skipped.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 Version: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 Version: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 Version: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 Version: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 Version: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 Version: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d061be4c8040ffb1110d537654a038b8b6ad39d2",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "145d140abda80e33331c5781d6603014fa75d258",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "c82e39ff67353a5a6cbc07b786b8690bd2c45aaa",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "e927ab132b87ba3f076705fc2684d94b24201ed1",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "5d0d8c292531fe356c4e94dcfdf7d7212aca9957",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "2acb8517429ab42146c6c0ac1daed1f03d2fd125",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "8c738512714e8c0aa18f8a10c072d5b01c83db39",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make decode_pool() more resilient against corrupted osdmaps\n\nIf the osdmap is (maliciously) corrupted such that the encoded length\nof ceph_pg_pool envelope is less than what is expected for a particular\nencoding version, out-of-bounds reads may ensue because the only bounds\ncheck that is there is based on that length value.\n\nThis patch adds explicit bounds checks for each field that is decoded\nor skipped."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:10.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2"
},
{
"url": "https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258"
},
{
"url": "https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa"
},
{
"url": "https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1"
},
{
"url": "https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957"
},
{
"url": "https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125"
},
{
"url": "https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39"
}
],
"title": "libceph: make decode_pool() more resilient against corrupted osdmaps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71116",
"datePublished": "2026-01-14T15:06:04.476Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:10.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68321 (GCVE-0-2025-68321)
Vulnerability from cvelistv5
Published
2025-12-16 15:44
Modified
2026-01-02 15:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: always add GFP_NOWARN for ATOMIC allocations
Driver authors often forget to add GFP_NOWARN for page allocation
from the datapath. This is annoying to users as OOMs are a fact
of life, and we pretty much expect network Rx to hit page allocation
failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations
by default.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f Version: ff7d6b27f894f1469dc51ccb828b7363ccd9799f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ec2cd5c58793d0c622797cd5fbe26634b357210",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "9835a0fd59a1df5ec0740fdab6d50db68e0f10de",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "7613c06ffa89c1e2266fb532e23ef7dfdf269d73",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "3671a0775952026228ae44e096eb144bca75f8dc",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "ab48dc0e23eb714b3f233f8e8f6deed7df2051f5",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "f3b52167a0cb23b27414452fbc1278da2ee884fc",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: always add GFP_NOWARN for ATOMIC allocations\n\nDriver authors often forget to add GFP_NOWARN for page allocation\nfrom the datapath. This is annoying to users as OOMs are a fact\nof life, and we pretty much expect network Rx to hit page allocation\nfailures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations\nby default."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:35:06.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ec2cd5c58793d0c622797cd5fbe26634b357210"
},
{
"url": "https://git.kernel.org/stable/c/9835a0fd59a1df5ec0740fdab6d50db68e0f10de"
},
{
"url": "https://git.kernel.org/stable/c/7613c06ffa89c1e2266fb532e23ef7dfdf269d73"
},
{
"url": "https://git.kernel.org/stable/c/3671a0775952026228ae44e096eb144bca75f8dc"
},
{
"url": "https://git.kernel.org/stable/c/ab48dc0e23eb714b3f233f8e8f6deed7df2051f5"
},
{
"url": "https://git.kernel.org/stable/c/f3b52167a0cb23b27414452fbc1278da2ee884fc"
}
],
"title": "page_pool: always add GFP_NOWARN for ATOMIC allocations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68321",
"datePublished": "2025-12-16T15:44:19.066Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2026-01-02T15:35:06.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40346 (GCVE-0-2025-40346)
Vulnerability from cvelistv5
Published
2025-12-16 13:30
Modified
2025-12-16 13:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()
Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()
which causes the code to proceed with NULL clock pointers. The current
logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both
valid pointers and NULL, leading to potential NULL pointer dereference
in clk_get_rate().
Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:
"The error code within @ptr if it is an error pointer; 0 otherwise."
This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL
pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)
when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be
called when of_clk_get() returns NULL.
Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid
pointers, preventing potential NULL pointer dereference in clk_get_rate().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 Version: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 Version: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 Version: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 Version: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 Version: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 Version: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/arch_topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64da320252e43456cc9ec3055ff567f168467b37",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "02fbea0864fd4a863671f5d418129258d7159f68",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "a77f8434954cb1e9c42c3854e40855fdcf5ab235",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "3373f263bb647fcc3b5237cfaef757633b9ee25e",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "45379303124487db3a81219af7565d41f498167f",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "3a01b2614e84361aa222f67bc628593987e5cdb2",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "2eead19334516c8e9927c11b448fbe512b1f18a1",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/arch_topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narch_topology: Fix incorrect error check in topology_parse_cpu_capacity()\n\nFix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()\nwhich causes the code to proceed with NULL clock pointers. The current\nlogic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both\nvalid pointers and NULL, leading to potential NULL pointer dereference\nin clk_get_rate().\n\nPer include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:\n\"The error code within @ptr if it is an error pointer; 0 otherwise.\"\n\nThis means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL\npointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)\nwhen cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be\ncalled when of_clk_get() returns NULL.\n\nReplace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid\npointers, preventing potential NULL pointer dereference in clk_get_rate()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:30:20.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64da320252e43456cc9ec3055ff567f168467b37"
},
{
"url": "https://git.kernel.org/stable/c/02fbea0864fd4a863671f5d418129258d7159f68"
},
{
"url": "https://git.kernel.org/stable/c/a77f8434954cb1e9c42c3854e40855fdcf5ab235"
},
{
"url": "https://git.kernel.org/stable/c/3373f263bb647fcc3b5237cfaef757633b9ee25e"
},
{
"url": "https://git.kernel.org/stable/c/45379303124487db3a81219af7565d41f498167f"
},
{
"url": "https://git.kernel.org/stable/c/3a01b2614e84361aa222f67bc628593987e5cdb2"
},
{
"url": "https://git.kernel.org/stable/c/2eead19334516c8e9927c11b448fbe512b1f18a1"
}
],
"title": "arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40346",
"datePublished": "2025-12-16T13:30:20.395Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:30:20.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23073 (GCVE-0-2026-23073)
Vulnerability from cvelistv5
Published
2026-02-04 16:07
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rsi: Fix memory corruption due to not set vif driver data size
The struct ieee80211_vif contains trailing space for vif driver data,
when struct ieee80211_vif is allocated, the total memory size that is
allocated is sizeof(struct ieee80211_vif) + size of vif driver data.
The size of vif driver data is set by each WiFi driver as needed.
The RSI911x driver does not set vif driver data size, no trailing space
for vif driver data is therefore allocated past struct ieee80211_vif .
The RSI911x driver does however use the vif driver data to store its
vif driver data structure "struct vif_priv". An access to vif->drv_priv
leads to access out of struct ieee80211_vif bounds and corruption of
some memory.
In case of the failure observed locally, rsi_mac80211_add_interface()
would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv;
vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member
struct list_head new_flows . The flow = list_first_entry(head, struct
fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus
address, which when accessed causes a crash.
The trigger is very simple, boot the machine with init=/bin/sh , mount
devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1",
"ip link set wlan0 down" and the crash occurs.
Fix this by setting the correct size of vif driver data, which is the
size of "struct vif_priv", so that memory is allocated and the driver
can store its driver data in it, instead of corrupting memory around
it.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dad0d04fa7ba41ce603a01e8e64967650303e9a2 Version: dad0d04fa7ba41ce603a01e8e64967650303e9a2 Version: dad0d04fa7ba41ce603a01e8e64967650303e9a2 Version: dad0d04fa7ba41ce603a01e8e64967650303e9a2 Version: dad0d04fa7ba41ce603a01e8e64967650303e9a2 Version: dad0d04fa7ba41ce603a01e8e64967650303e9a2 Version: dad0d04fa7ba41ce603a01e8e64967650303e9a2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_mac80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49ef094fdbc3526e5db2aebb404b84f79c5603dc",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "7761d7801f40e61069b4df3db88b36d80d089f8a",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "99129d80a5d4989ef8566f434f3589f60f28042b",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "31efbcff90884ea5f65bf3d1de01267db51ee3d1",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
},
{
"lessThan": "4f431d88ea8093afc7ba55edf4652978c5a68f33",
"status": "affected",
"version": "dad0d04fa7ba41ce603a01e8e64967650303e9a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_mac80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Fix memory corruption due to not set vif driver data size\n\nThe struct ieee80211_vif contains trailing space for vif driver data,\nwhen struct ieee80211_vif is allocated, the total memory size that is\nallocated is sizeof(struct ieee80211_vif) + size of vif driver data.\nThe size of vif driver data is set by each WiFi driver as needed.\n\nThe RSI911x driver does not set vif driver data size, no trailing space\nfor vif driver data is therefore allocated past struct ieee80211_vif .\nThe RSI911x driver does however use the vif driver data to store its\nvif driver data structure \"struct vif_priv\". An access to vif-\u003edrv_priv\nleads to access out of struct ieee80211_vif bounds and corruption of\nsome memory.\n\nIn case of the failure observed locally, rsi_mac80211_add_interface()\nwould write struct vif_priv *vif_info = (struct vif_priv *)vif-\u003edrv_priv;\nvif_info-\u003evap_id = vap_idx. This write corrupts struct fq_tin member\nstruct list_head new_flows . The flow = list_first_entry(head, struct\nfq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus\naddress, which when accessed causes a crash.\n\nThe trigger is very simple, boot the machine with init=/bin/sh , mount\ndevtmpfs, sysfs, procfs, and then do \"ip link set wlan0 up\", \"sleep 1\",\n\"ip link set wlan0 down\" and the crash occurs.\n\nFix this by setting the correct size of vif driver data, which is the\nsize of \"struct vif_priv\", so that memory is allocated and the driver\ncan store its driver data in it, instead of corrupting memory around\nit."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:12.671Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49ef094fdbc3526e5db2aebb404b84f79c5603dc"
},
{
"url": "https://git.kernel.org/stable/c/0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0"
},
{
"url": "https://git.kernel.org/stable/c/7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4"
},
{
"url": "https://git.kernel.org/stable/c/7761d7801f40e61069b4df3db88b36d80d089f8a"
},
{
"url": "https://git.kernel.org/stable/c/99129d80a5d4989ef8566f434f3589f60f28042b"
},
{
"url": "https://git.kernel.org/stable/c/31efbcff90884ea5f65bf3d1de01267db51ee3d1"
},
{
"url": "https://git.kernel.org/stable/c/4f431d88ea8093afc7ba55edf4652978c5a68f33"
}
],
"title": "wifi: rsi: Fix memory corruption due to not set vif driver data size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23073",
"datePublished": "2026-02-04T16:07:53.527Z",
"dateReserved": "2026-01-13T15:37:45.958Z",
"dateUpdated": "2026-02-09T08:38:12.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40308 (GCVE-0-2025-40308)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: bcsp: receive data only if registered
Currently, bcsp_recv() can be called even when the BCSP protocol has not
been registered. This leads to a NULL pointer dereference, as shown in
the following stack trace:
KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590
Call Trace:
<TASK>
hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627
tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290
tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
To prevent this, ensure that the HCI_UART_REGISTERED flag is set before
processing received data. If the protocol is not registered, return
-EUNATCH.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 48effdb7a798232db945503cf3f51e0be8070cea Version: 45fa7bd82c6178f4fec0ab94891144a043ec5fe8 Version: d71a57a34ab6bbc95dc461158403c02e8ff3f912 Version: 9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf Version: 806464634e7fc6b523160defeeddb1ade2a72f81 Version: 6b7a32fa9bacdebd98c18b2a56994116995ee643 Version: 366ceff495f902182d42b6f41525c2474caf3f9a Version: 366ceff495f902182d42b6f41525c2474caf3f9a Version: 15543b7bbe7b5f744fdbb44f75b14f81a0117813 Version: a4b89a45b12b69bc82c8137346b150a118e02c26 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_bcsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39a7d40314b6288cfa2d13269275e9247a7a055a",
"status": "affected",
"version": "48effdb7a798232db945503cf3f51e0be8070cea",
"versionType": "git"
},
{
"lessThan": "164586725b47f9d61912e6bf17dbaffeff11710b",
"status": "affected",
"version": "45fa7bd82c6178f4fec0ab94891144a043ec5fe8",
"versionType": "git"
},
{
"lessThan": "b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9",
"status": "affected",
"version": "d71a57a34ab6bbc95dc461158403c02e8ff3f912",
"versionType": "git"
},
{
"lessThan": "8b892dbef3887dbe9afdc7176d1a5fd90e1636aa",
"status": "affected",
"version": "9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf",
"versionType": "git"
},
{
"lessThan": "799cd62cbcc3f12ee04b33ef390ff7d41c37d671",
"status": "affected",
"version": "806464634e7fc6b523160defeeddb1ade2a72f81",
"versionType": "git"
},
{
"lessThan": "b420a4c7f915fc1c94ad1f6ca740acc046d94334",
"status": "affected",
"version": "6b7a32fa9bacdebd98c18b2a56994116995ee643",
"versionType": "git"
},
{
"lessThan": "55c1519fca830f59a10bbf9aa8209c87b06cf7bc",
"status": "affected",
"version": "366ceff495f902182d42b6f41525c2474caf3f9a",
"versionType": "git"
},
{
"lessThan": "ca94b2b036c22556c3a66f1b80f490882deef7a6",
"status": "affected",
"version": "366ceff495f902182d42b6f41525c2474caf3f9a",
"versionType": "git"
},
{
"status": "affected",
"version": "15543b7bbe7b5f744fdbb44f75b14f81a0117813",
"versionType": "git"
},
{
"status": "affected",
"version": "a4b89a45b12b69bc82c8137346b150a118e02c26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_bcsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bcsp: receive data only if registered\n\nCurrently, bcsp_recv() can be called even when the BCSP protocol has not\nbeen registered. This leads to a NULL pointer dereference, as shown in\nthe following stack trace:\n\n KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590\n Call Trace:\n \u003cTASK\u003e\n hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627\n tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290\n tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nTo prevent this, ensure that the HCI_UART_REGISTERED flag is set before\nprocessing received data. If the protocol is not registered, return\n-EUNATCH."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:29.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a"
},
{
"url": "https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b"
},
{
"url": "https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9"
},
{
"url": "https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa"
},
{
"url": "https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671"
},
{
"url": "https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334"
},
{
"url": "https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc"
},
{
"url": "https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6"
}
],
"title": "Bluetooth: bcsp: receive data only if registered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40308",
"datePublished": "2025-12-08T00:46:33.729Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:29.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68327 (GCVE-0-2025-68327)
Vulnerability from cvelistv5
Published
2025-12-22 16:12
Modified
2025-12-22 16:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: renesas_usbhs: Fix synchronous external abort on unbind
A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is
executed after the configuration sequence described above:
modprobe usb_f_ecm
modprobe libcomposite
modprobe configfs
cd /sys/kernel/config/usb_gadget
mkdir -p g1
cd g1
echo "0x1d6b" > idVendor
echo "0x0104" > idProduct
mkdir -p strings/0x409
echo "0123456789" > strings/0x409/serialnumber
echo "Renesas." > strings/0x409/manufacturer
echo "Ethernet Gadget" > strings/0x409/product
mkdir -p functions/ecm.usb0
mkdir -p configs/c.1
mkdir -p configs/c.1/strings/0x409
echo "ECM" > configs/c.1/strings/0x409/configuration
if [ ! -L configs/c.1/ecm.usb0 ]; then
ln -s functions/ecm.usb0 configs/c.1
fi
echo 11e20000.usb > UDC
echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind
The displayed trace is as follows:
Internal error: synchronous external abort: 0000000096000010 [#1] SMP
CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT
Tainted: [M]=MACHINE_CHECK
Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)
pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]
lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]
sp : ffff8000838b3920
x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810
x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000
x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020
x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344
x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000
x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418
x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80
Call trace:
usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)
usbhsg_pullup+0x4c/0x7c [renesas_usbhs]
usb_gadget_disconnect_locked+0x48/0xd4
gadget_unbind_driver+0x44/0x114
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
device_release_driver+0x18/0x24
bus_remove_device+0xcc/0x10c
device_del+0x14c/0x404
usb_del_gadget+0x88/0xc0
usb_del_gadget_udc+0x18/0x30
usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]
usbhs_mod_remove+0x20/0x30 [renesas_usbhs]
usbhs_remove+0x98/0xdc [renesas_usbhs]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
device_driver_detach+0x18/0x24
unbind_store+0xb4/0xb8
drv_attr_store+0x24/0x38
sysfs_kf_write+0x7c/0x94
kernfs_fop_write_iter+0x128/0x1b8
vfs_write+0x2ac/0x350
ksys_write+0x68/0xfc
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x110
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xf0
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)
---[ end trace 0000000000000000 ]---
note: sh[188] exited with irqs disabled
note: sh[188] exited with preempt_count 1
The issue occurs because usbhs_sys_function_pullup(), which accesses the IP
registers, is executed after the USBHS clocks have been disabled. The
problem is reproducible on the Renesas RZ/G3S SoC starting with the
addition of module stop in the clock enable/disable APIs. With module stop
functionality enabled, a bus error is expected if a master accesses a
module whose clock has been stopped and module stop activated.
Disable the IP clocks at the end of remove.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/renesas_usbhs/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "cd5e86e34c66a831b5cb9b720ad411a006962cc8",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "230b1bc1310edcd5c1b71dcd6b77ccba43139cb5",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "26838f147aeaa8f820ff799d72815fba5e209bd9",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "aa658a6d5ac21c7cde54c6d015f2d4daff32e02d",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "eb9ac779830b2235847b72cb15cf07c7e3333c5e",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/renesas_usbhs/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Fix synchronous external abort on unbind\n\nA synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is\nexecuted after the configuration sequence described above:\n\nmodprobe usb_f_ecm\nmodprobe libcomposite\nmodprobe configfs\ncd /sys/kernel/config/usb_gadget\nmkdir -p g1\ncd g1\necho \"0x1d6b\" \u003e idVendor\necho \"0x0104\" \u003e idProduct\nmkdir -p strings/0x409\necho \"0123456789\" \u003e strings/0x409/serialnumber\necho \"Renesas.\" \u003e strings/0x409/manufacturer\necho \"Ethernet Gadget\" \u003e strings/0x409/product\nmkdir -p functions/ecm.usb0\nmkdir -p configs/c.1\nmkdir -p configs/c.1/strings/0x409\necho \"ECM\" \u003e configs/c.1/strings/0x409/configuration\n\nif [ ! -L configs/c.1/ecm.usb0 ]; then\n ln -s functions/ecm.usb0 configs/c.1\nfi\n\necho 11e20000.usb \u003e UDC\necho 11e20000.usb \u003e /sys/bus/platform/drivers/renesas_usbhs/unbind\n\nThe displayed trace is as follows:\n\n Internal error: synchronous external abort: 0000000096000010 [#1] SMP\n CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT\n Tainted: [M]=MACHINE_CHECK\n Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)\n pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]\n lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]\n sp : ffff8000838b3920\n x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810\n x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000\n x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020\n x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344\n x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000\n x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418\n x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\n x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000\n x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80\n Call trace:\n usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)\n usbhsg_pullup+0x4c/0x7c [renesas_usbhs]\n usb_gadget_disconnect_locked+0x48/0xd4\n gadget_unbind_driver+0x44/0x114\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_release_driver+0x18/0x24\n bus_remove_device+0xcc/0x10c\n device_del+0x14c/0x404\n usb_del_gadget+0x88/0xc0\n usb_del_gadget_udc+0x18/0x30\n usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]\n usbhs_mod_remove+0x20/0x30 [renesas_usbhs]\n usbhs_remove+0x98/0xdc [renesas_usbhs]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_driver_detach+0x18/0x24\n unbind_store+0xb4/0xb8\n drv_attr_store+0x24/0x38\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x128/0x1b8\n vfs_write+0x2ac/0x350\n ksys_write+0x68/0xfc\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xf0\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)\n ---[ end trace 0000000000000000 ]---\n note: sh[188] exited with irqs disabled\n note: sh[188] exited with preempt_count 1\n\nThe issue occurs because usbhs_sys_function_pullup(), which accesses the IP\nregisters, is executed after the USBHS clocks have been disabled. The\nproblem is reproducible on the Renesas RZ/G3S SoC starting with the\naddition of module stop in the clock enable/disable APIs. With module stop\nfunctionality enabled, a bus error is expected if a master accesses a\nmodule whose clock has been stopped and module stop activated.\n\nDisable the IP clocks at the end of remove."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:13:58.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a"
},
{
"url": "https://git.kernel.org/stable/c/cd5e86e34c66a831b5cb9b720ad411a006962cc8"
},
{
"url": "https://git.kernel.org/stable/c/230b1bc1310edcd5c1b71dcd6b77ccba43139cb5"
},
{
"url": "https://git.kernel.org/stable/c/9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1"
},
{
"url": "https://git.kernel.org/stable/c/26838f147aeaa8f820ff799d72815fba5e209bd9"
},
{
"url": "https://git.kernel.org/stable/c/aa658a6d5ac21c7cde54c6d015f2d4daff32e02d"
},
{
"url": "https://git.kernel.org/stable/c/eb9ac779830b2235847b72cb15cf07c7e3333c5e"
}
],
"title": "usb: renesas_usbhs: Fix synchronous external abort on unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68327",
"datePublished": "2025-12-22T16:12:21.402Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:13:58.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40178 (GCVE-0-2025-40178)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pid: Add a judgment for ns null in pid_nr_ns
__task_pid_nr_ns
ns = task_active_pid_ns(current);
pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
if (pid && ns->level <= pid->level) {
Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.
For example:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000
[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000
pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __task_pid_nr_ns+0x74/0xd0
lr : __task_pid_nr_ns+0x24/0xd0
sp : ffffffc08001bd10
x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001
x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31
x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0
x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000
x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc
x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800
x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001
x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449
x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0
Call trace:
__task_pid_nr_ns+0x74/0xd0
...
__handle_irq_event_percpu+0xd4/0x284
handle_irq_event+0x48/0xb0
handle_fasteoi_irq+0x160/0x2d8
generic_handle_domain_irq+0x44/0x60
gic_handle_irq+0x4c/0x114
call_on_irq_stack+0x3c/0x74
do_interrupt_handler+0x4c/0x84
el1_interrupt+0x34/0x58
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x68/0x6c
account_kernel_stack+0x60/0x144
exit_task_stack_account+0x1c/0x80
do_exit+0x7e4/0xaf8
...
get_signal+0x7bc/0x8d8
do_notify_resume+0x128/0x828
el0_svc+0x6c/0x70
el0t_64_sync_handler+0x68/0xbc
el0t_64_sync+0x1a8/0x1ac
Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception in interrupt
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 17cf22c33e1f1b5e435469c84e43872579497653 Version: 17cf22c33e1f1b5e435469c84e43872579497653 Version: 17cf22c33e1f1b5e435469c84e43872579497653 Version: 17cf22c33e1f1b5e435469c84e43872579497653 Version: 17cf22c33e1f1b5e435469c84e43872579497653 Version: 17cf22c33e1f1b5e435469c84e43872579497653 Version: 17cf22c33e1f1b5e435469c84e43872579497653 Version: 17cf22c33e1f1b5e435469c84e43872579497653 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/pid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75dbc029c5359438be4a6f908bfbfdab969af776",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "c2d09d724856b6f82ab688f65fc1ce833bb56333",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "c3b654021931dc806ba086c549e8756c3f204a67",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "e10c36a771c5cc910abd9fe4aa9033ee32a47c38",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "09d227c59d97efda7d5cc878a4335a6b2bb224c2",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "2076b916bf41be48799d1443df0f8fc75d12ccd0",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "a0212978af1825b37da0b453b94d9b0e5af11478",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "006568ab4c5ca2309ceb36fa553e390b4aa9c0c7",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/pid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npid: Add a judgment for ns null in pid_nr_ns\n\n__task_pid_nr_ns\n ns = task_active_pid_ns(current);\n pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);\n if (pid \u0026\u0026 ns-\u003elevel \u003c= pid-\u003elevel) {\n\nSometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.\n\nFor example:\n\tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058\n\tMem abort info:\n\tESR = 0x0000000096000007\n\tEC = 0x25: DABT (current EL), IL = 32 bits\n\tSET = 0, FnV = 0\n\tEA = 0, S1PTW = 0\n\tFSC = 0x07: level 3 translation fault\n\tData abort info:\n\tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n\tCM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000\n\t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000\n\tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n\tpc : __task_pid_nr_ns+0x74/0xd0\n\tlr : __task_pid_nr_ns+0x24/0xd0\n\tsp : ffffffc08001bd10\n\tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001\n\tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31\n\tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0\n\tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000\n\tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc\n\tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800\n\tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001\n\tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449\n\tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc\n\tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0\n\tCall trace:\n\t__task_pid_nr_ns+0x74/0xd0\n\t...\n\t__handle_irq_event_percpu+0xd4/0x284\n\thandle_irq_event+0x48/0xb0\n\thandle_fasteoi_irq+0x160/0x2d8\n\tgeneric_handle_domain_irq+0x44/0x60\n\tgic_handle_irq+0x4c/0x114\n\tcall_on_irq_stack+0x3c/0x74\n\tdo_interrupt_handler+0x4c/0x84\n\tel1_interrupt+0x34/0x58\n\tel1h_64_irq_handler+0x18/0x24\n\tel1h_64_irq+0x68/0x6c\n\taccount_kernel_stack+0x60/0x144\n\texit_task_stack_account+0x1c/0x80\n\tdo_exit+0x7e4/0xaf8\n\t...\n\tget_signal+0x7bc/0x8d8\n\tdo_notify_resume+0x128/0x828\n\tel0_svc+0x6c/0x70\n\tel0t_64_sync_handler+0x68/0xbc\n\tel0t_64_sync+0x1a8/0x1ac\n\tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)\n\t---[ end trace 0000000000000000 ]---\n\tKernel panic - not syncing: Oops: Fatal exception in interrupt"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:08.316Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776"
},
{
"url": "https://git.kernel.org/stable/c/c2d09d724856b6f82ab688f65fc1ce833bb56333"
},
{
"url": "https://git.kernel.org/stable/c/c3b654021931dc806ba086c549e8756c3f204a67"
},
{
"url": "https://git.kernel.org/stable/c/e10c36a771c5cc910abd9fe4aa9033ee32a47c38"
},
{
"url": "https://git.kernel.org/stable/c/09d227c59d97efda7d5cc878a4335a6b2bb224c2"
},
{
"url": "https://git.kernel.org/stable/c/2076b916bf41be48799d1443df0f8fc75d12ccd0"
},
{
"url": "https://git.kernel.org/stable/c/a0212978af1825b37da0b453b94d9b0e5af11478"
},
{
"url": "https://git.kernel.org/stable/c/006568ab4c5ca2309ceb36fa553e390b4aa9c0c7"
}
],
"title": "pid: Add a judgment for ns null in pid_nr_ns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40178",
"datePublished": "2025-11-12T21:56:24.051Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2026-01-02T15:33:08.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68727 (GCVE-0-2025-68727)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: Fix uninit buffer allocated by __getname()
Fix uninit errors caused after buffer allocation given to 'de'; by
initializing the buffer with zeroes. The fix was found by using KMSAN.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 78ab59fee07f22464f32eafebab2bd97ba94ff2d Version: 78ab59fee07f22464f32eafebab2bd97ba94ff2d Version: 78ab59fee07f22464f32eafebab2bd97ba94ff2d Version: 78ab59fee07f22464f32eafebab2bd97ba94ff2d Version: 78ab59fee07f22464f32eafebab2bd97ba94ff2d Version: 78ab59fee07f22464f32eafebab2bd97ba94ff2d Version: 78ab59fee07f22464f32eafebab2bd97ba94ff2d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90e23db1a85956026999c18e76f402542cb004da",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "53f4d6cb97096590410f3719f75cdf9fc5120f37",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "4b1fd82848fdf0e01b3320815b261006c1722c3e",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "d88d4b455b6794f48d7adad52593f1700c7bd50e",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "b40a4eb4a0543d49686a6e693745009dac3b86a9",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
},
{
"lessThan": "9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6",
"status": "affected",
"version": "78ab59fee07f22464f32eafebab2bd97ba94ff2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: Fix uninit buffer allocated by __getname()\n\nFix uninit errors caused after buffer allocation given to \u0027de\u0027; by\ninitializing the buffer with zeroes. The fix was found by using KMSAN."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:23.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90e23db1a85956026999c18e76f402542cb004da"
},
{
"url": "https://git.kernel.org/stable/c/53f4d6cb97096590410f3719f75cdf9fc5120f37"
},
{
"url": "https://git.kernel.org/stable/c/dcb5e3cd96b77d52bb65988e4c914636a6d4fdd9"
},
{
"url": "https://git.kernel.org/stable/c/4b1fd82848fdf0e01b3320815b261006c1722c3e"
},
{
"url": "https://git.kernel.org/stable/c/d88d4b455b6794f48d7adad52593f1700c7bd50e"
},
{
"url": "https://git.kernel.org/stable/c/b40a4eb4a0543d49686a6e693745009dac3b86a9"
},
{
"url": "https://git.kernel.org/stable/c/9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6"
}
],
"title": "ntfs3: Fix uninit buffer allocated by __getname()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68727",
"datePublished": "2025-12-24T10:33:11.085Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-02-09T08:32:23.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68308 (GCVE-0-2025-68308)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`
functions contain logic to zero-length commands. These commands are used
to align data to the USB endpoint's wMaxPacketSize boundary.
The driver attempts to skip these placeholders by aligning the buffer
position `pos` to the next packet boundary using `round_up()` function.
However, if zero-length command is found exactly on a packet boundary
(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`
function will return the unchanged value of `pos`. This prevents `pos`
to be increased, causing an infinite loop in the parsing logic.
This patch fixes this in the function by using `pos + 1` instead.
This ensures that even if `pos` is on a boundary, the calculation is
based on `pos + 1`, forcing `round_up()` to always return the next
aligned boundary.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58343e0a4d43699f0e2f5b169384bbe4c0217add",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "69c7825df64e24dc15d31631a1fc9145324b1345",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "028e89c7e8b4346302e88df01cc50e0a1f05791a",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "e9dd83a75a7274edef21682c823bf0b66d7b6b7f",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "0897cea266e39166a36111059ba147192b36592f",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "bd8135a560cf6e64f0b98ed4daadf126a38f7f48",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "0c73772cd2b8cc108d5f5334de89ad648d89b9ec",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: leaf: Fix potential infinite loop in command parsers\n\nThe `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`\nfunctions contain logic to zero-length commands. These commands are used\nto align data to the USB endpoint\u0027s wMaxPacketSize boundary.\n\nThe driver attempts to skip these placeholders by aligning the buffer\nposition `pos` to the next packet boundary using `round_up()` function.\n\nHowever, if zero-length command is found exactly on a packet boundary\n(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`\nfunction will return the unchanged value of `pos`. This prevents `pos`\nto be increased, causing an infinite loop in the parsing logic.\n\nThis patch fixes this in the function by using `pos + 1` instead.\nThis ensures that even if `pos` is on a boundary, the calculation is\nbased on `pos + 1`, forcing `round_up()` to always return the next\naligned boundary."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:25.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add"
},
{
"url": "https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345"
},
{
"url": "https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a"
},
{
"url": "https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f"
},
{
"url": "https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f"
},
{
"url": "https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48"
},
{
"url": "https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec"
}
],
"title": "can: kvaser_usb: leaf: Fix potential infinite loop in command parsers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68308",
"datePublished": "2025-12-16T15:06:25.081Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:25.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68788 (GCVE-0-2025-68788)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fsnotify: do not generate ACCESS/MODIFY events on child for special files
inotify/fanotify do not allow users with no read access to a file to
subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the
same user to subscribe for watching events on children when the user
has access to the parent directory (e.g. /dev).
Users with no read access to a file but with read access to its parent
directory can still stat the file and see if it was accessed/modified
via atime/mtime change.
The same is not true for special files (e.g. /dev/null). Users will not
generally observe atime/mtime changes when other users read/write to
special files, only when someone sets atime/mtime via utimensat().
Align fsnotify events with this stat behavior and do not generate
ACCESS/MODIFY events to parent watchers on read/write of special files.
The events are still generated to parent watchers on utimensat(). This
closes some side-channels that could be possibly used for information
exfiltration [1].
[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 72acc854427948efed7a83da27f7dc3239ac9afc Version: 72acc854427948efed7a83da27f7dc3239ac9afc Version: 72acc854427948efed7a83da27f7dc3239ac9afc Version: 72acc854427948efed7a83da27f7dc3239ac9afc Version: 72acc854427948efed7a83da27f7dc3239ac9afc Version: 72acc854427948efed7a83da27f7dc3239ac9afc Version: 72acc854427948efed7a83da27f7dc3239ac9afc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df2711544b050aba703e6da418c53c7dc5d443ca",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "859bdf438f01d9aa7f84b09c1202d548c7cad9e8",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "e0643d46759db8b84c0504a676043e5e341b6c81",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "82f7416bcbd951549e758d15fc1a96a5afc2e900",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "635bc4def026a24e071436f4f356ea08c0eed6ff",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: do not generate ACCESS/MODIFY events on child for special files\n\ninotify/fanotify do not allow users with no read access to a file to\nsubscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the\nsame user to subscribe for watching events on children when the user\nhas access to the parent directory (e.g. /dev).\n\nUsers with no read access to a file but with read access to its parent\ndirectory can still stat the file and see if it was accessed/modified\nvia atime/mtime change.\n\nThe same is not true for special files (e.g. /dev/null). Users will not\ngenerally observe atime/mtime changes when other users read/write to\nspecial files, only when someone sets atime/mtime via utimensat().\n\nAlign fsnotify events with this stat behavior and do not generate\nACCESS/MODIFY events to parent watchers on read/write of special files.\nThe events are still generated to parent watchers on utimensat(). This\ncloses some side-channels that could be possibly used for information\nexfiltration [1].\n\n[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:35.171Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca"
},
{
"url": "https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8"
},
{
"url": "https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91"
},
{
"url": "https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81"
},
{
"url": "https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900"
},
{
"url": "https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6"
},
{
"url": "https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff"
}
],
"title": "fsnotify: do not generate ACCESS/MODIFY events on child for special files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68788",
"datePublished": "2026-01-13T15:29:01.270Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-02-09T08:33:35.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40029 (GCVE-0-2025-40029)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: fsl-mc: Check return value of platform_get_resource()
platform_get_resource() returns NULL in case of failure, so check its
return value and propagate the error in order to prevent NULL pointer
dereference.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd Version: 6305166c8771c33a8d5992fb53f93cfecedc14fd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58dd05070b57a20f22ff35a34ef9846bdf49a1d0",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "8a4dd74fe413d4a278e649be1d22d028e1667116",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "e60d55692e6c8e951000343c39f3fc92cab57efc",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "78e87b8a3cf8a59671ea25c87192d16e8d710e1c",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "84ec0482ed9c9ed0aee553a5e7e7458ad79c021f",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "2ead548473f58c7960b6b939b79503c4a0a2c0bd",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
},
{
"lessThan": "25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae",
"status": "affected",
"version": "6305166c8771c33a8d5992fb53f93cfecedc14fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: Check return value of platform_get_resource()\n\nplatform_get_resource() returns NULL in case of failure, so check its\nreturn value and propagate the error in order to prevent NULL pointer\ndereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:31.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58dd05070b57a20f22ff35a34ef9846bdf49a1d0"
},
{
"url": "https://git.kernel.org/stable/c/8a4dd74fe413d4a278e649be1d22d028e1667116"
},
{
"url": "https://git.kernel.org/stable/c/e60d55692e6c8e951000343c39f3fc92cab57efc"
},
{
"url": "https://git.kernel.org/stable/c/78e87b8a3cf8a59671ea25c87192d16e8d710e1c"
},
{
"url": "https://git.kernel.org/stable/c/84ec0482ed9c9ed0aee553a5e7e7458ad79c021f"
},
{
"url": "https://git.kernel.org/stable/c/2ead548473f58c7960b6b939b79503c4a0a2c0bd"
},
{
"url": "https://git.kernel.org/stable/c/25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae"
}
],
"title": "bus: fsl-mc: Check return value of platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40029",
"datePublished": "2025-10-28T11:48:00.679Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:31.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68741 (GCVE-0-2025-68741)
Vulnerability from cvelistv5
Published
2025-12-24 12:09
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix improper freeing of purex item
In qla2xxx_process_purls_iocb(), an item is allocated via
qla27xx_copy_multiple_pkt(), which internally calls
qla24xx_alloc_purex_item().
The qla24xx_alloc_purex_item() function may return a pre-allocated item
from a per-adapter pool for small allocations, instead of dynamically
allocating memory with kzalloc().
An error handling path in qla2xxx_process_purls_iocb() incorrectly uses
kfree() to release the item. If the item was from the pre-allocated
pool, calling kfree() on it is a bug that can lead to memory corruption.
Fix this by using the correct deallocation function,
qla24xx_free_purex_item(), which properly handles both dynamically
allocated and pre-allocated items.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4bccd506a1f1ab01d1f45b2a3effff6bedc73cf9",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "8e9f0a0717ba31d5842721627ade1e62d7aec012",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "cfe3e2f768d248fd3d965d561d0768a56dd0b9f8",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "5fa1c8226b4532ad7011d295d3ab4ad45df105ae",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
},
{
"lessThan": "78b1a242fe612a755f2158fd206ee6bb577d18ca",
"status": "affected",
"version": "875386b98857822b77ac7f95bdf367b70af5b78c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix improper freeing of purex item\n\nIn qla2xxx_process_purls_iocb(), an item is allocated via\nqla27xx_copy_multiple_pkt(), which internally calls\nqla24xx_alloc_purex_item().\n\nThe qla24xx_alloc_purex_item() function may return a pre-allocated item\nfrom a per-adapter pool for small allocations, instead of dynamically\nallocating memory with kzalloc().\n\nAn error handling path in qla2xxx_process_purls_iocb() incorrectly uses\nkfree() to release the item. If the item was from the pre-allocated\npool, calling kfree() on it is a bug that can lead to memory corruption.\n\nFix this by using the correct deallocation function,\nqla24xx_free_purex_item(), which properly handles both dynamically\nallocated and pre-allocated items."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:45.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4bccd506a1f1ab01d1f45b2a3effff6bedc73cf9"
},
{
"url": "https://git.kernel.org/stable/c/8e9f0a0717ba31d5842721627ade1e62d7aec012"
},
{
"url": "https://git.kernel.org/stable/c/cfe3e2f768d248fd3d965d561d0768a56dd0b9f8"
},
{
"url": "https://git.kernel.org/stable/c/5fa1c8226b4532ad7011d295d3ab4ad45df105ae"
},
{
"url": "https://git.kernel.org/stable/c/78b1a242fe612a755f2158fd206ee6bb577d18ca"
}
],
"title": "scsi: qla2xxx: Fix improper freeing of purex item",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68741",
"datePublished": "2025-12-24T12:09:38.655Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-02-09T08:32:45.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39869 (GCVE-0-2025-39869)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
Fix a critical memory allocation bug in edma_setup_from_hw() where
queue_priority_map was allocated with insufficient memory. The code
declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),
but allocated memory using sizeof(s8) instead of the correct size.
This caused out-of-bounds memory writes when accessing:
queue_priority_map[i][0] = i;
queue_priority_map[i][1] = i;
The bug manifested as kernel crashes with "Oops - undefined instruction"
on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the
memory corruption triggered kernel hardening features on Clang.
Change the allocation to use sizeof(*queue_priority_map) which
automatically gets the correct size for the 2D array structure.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed Version: 2b6b3b7420190888793c49e97276e1e73bd7eaed |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:18.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/edma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d4de60d6db02d9b01d5890d5156b04fad65d07a",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "d722de80ce037dccf6931e778f4a46499d51bdf9",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "301a96cc4dc006c9a285913d301e681cfbf7edb6",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "1baed10553fc8b388351d8fc803e3ae6f1a863bc",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "069fd1688c57c0cc8a3de64d108579b31676f74b",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "d5e82f3f2c918d446df46e8d65f8083fd97cdec5",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
},
{
"lessThan": "e63419dbf2ceb083c1651852209c7f048089ac0f",
"status": "affected",
"version": "2b6b3b7420190888793c49e97276e1e73bd7eaed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/edma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Fix memory allocation size for queue_priority_map\n\nFix a critical memory allocation bug in edma_setup_from_hw() where\nqueue_priority_map was allocated with insufficient memory. The code\ndeclared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),\nbut allocated memory using sizeof(s8) instead of the correct size.\n\nThis caused out-of-bounds memory writes when accessing:\n queue_priority_map[i][0] = i;\n queue_priority_map[i][1] = i;\n\nThe bug manifested as kernel crashes with \"Oops - undefined instruction\"\non ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the\nmemory corruption triggered kernel hardening features on Clang.\n\nChange the allocation to use sizeof(*queue_priority_map) which\nautomatically gets the correct size for the 2D array structure."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:04.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d4de60d6db02d9b01d5890d5156b04fad65d07a"
},
{
"url": "https://git.kernel.org/stable/c/d722de80ce037dccf6931e778f4a46499d51bdf9"
},
{
"url": "https://git.kernel.org/stable/c/301a96cc4dc006c9a285913d301e681cfbf7edb6"
},
{
"url": "https://git.kernel.org/stable/c/5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93"
},
{
"url": "https://git.kernel.org/stable/c/1baed10553fc8b388351d8fc803e3ae6f1a863bc"
},
{
"url": "https://git.kernel.org/stable/c/069fd1688c57c0cc8a3de64d108579b31676f74b"
},
{
"url": "https://git.kernel.org/stable/c/d5e82f3f2c918d446df46e8d65f8083fd97cdec5"
},
{
"url": "https://git.kernel.org/stable/c/e63419dbf2ceb083c1651852209c7f048089ac0f"
}
],
"title": "dmaengine: ti: edma: Fix memory allocation size for queue_priority_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39869",
"datePublished": "2025-09-23T06:00:43.852Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2025-11-03T17:44:18.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68815 (GCVE-0-2025-68815)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Remove drr class from the active list if it changes to strict
Whenever a user issues an ets qdisc change command, transforming a
drr class into a strict one, the ets code isn't checking whether that
class was in the active list and removing it. This means that, if a
user changes a strict class (which was in the active list) back to a drr
one, that class will be added twice to the active list [1].
Doing so with the following commands:
tc qdisc add dev lo root handle 1: ets bands 2 strict 1
tc qdisc add dev lo parent 1:2 handle 20: \
tbf rate 8bit burst 100b latency 1s
tc filter add dev lo parent 1: basic classid 1:2
ping -c1 -W0.01 -s 56 127.0.0.1
tc qdisc change dev lo root handle 1: ets bands 2 strict 2
tc qdisc change dev lo root handle 1: ets bands 2 strict 1
ping -c1 -W0.01 -s 56 127.0.0.1
Will trigger the following splat with list debug turned on:
[ 59.279014][ T365] ------------[ cut here ]------------
[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.
[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220
[ 59.280860][ T365] Modules linked in:
[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)
[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220
[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44
...
[ 59.288812][ T365] Call Trace:
[ 59.289056][ T365] <TASK>
[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80
[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0
[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10
[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240
[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10
[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110
[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0
Fix this by always checking and removing an ets class from the active list
when changing it to strict.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f517335a61ff8037b18ba1b0a002c1f82926a934 Version: cd9b50adc6bb9ad3f7d244590a389522215865c4 Version: cd9b50adc6bb9ad3f7d244590a389522215865c4 Version: cd9b50adc6bb9ad3f7d244590a389522215865c4 Version: cd9b50adc6bb9ad3f7d244590a389522215865c4 Version: cd9b50adc6bb9ad3f7d244590a389522215865c4 Version: cd9b50adc6bb9ad3f7d244590a389522215865c4 Version: d05330672afe2e142ba97e63bd7c1faef76781bb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58fdce6bc005e964f1dbc3ca716f5fe0f68839a2",
"status": "affected",
"version": "f517335a61ff8037b18ba1b0a002c1f82926a934",
"versionType": "git"
},
{
"lessThan": "02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "8067db5c95aab9461d23117679338cd8869831fa",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "2f125ebe47d6369e562f3cbd9b6227cff51eaf34",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "cca2ed931b734fe48139bc6f020e47367346630f",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "43d9a530c8c094d137159784e7c951c65f11ec6c",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "b1e125ae425aba9b45252e933ca8df52a843ec70",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"status": "affected",
"version": "d05330672afe2e142ba97e63bd7c1faef76781bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Remove drr class from the active list if it changes to strict\n\nWhenever a user issues an ets qdisc change command, transforming a\ndrr class into a strict one, the ets code isn\u0027t checking whether that\nclass was in the active list and removing it. This means that, if a\nuser changes a strict class (which was in the active list) back to a drr\none, that class will be added twice to the active list [1].\n\nDoing so with the following commands:\n\ntc qdisc add dev lo root handle 1: ets bands 2 strict 1\ntc qdisc add dev lo parent 1:2 handle 20: \\\n tbf rate 8bit burst 100b latency 1s\ntc filter add dev lo parent 1: basic classid 1:2\nping -c1 -W0.01 -s 56 127.0.0.1\ntc qdisc change dev lo root handle 1: ets bands 2 strict 2\ntc qdisc change dev lo root handle 1: ets bands 2 strict 1\nping -c1 -W0.01 -s 56 127.0.0.1\n\nWill trigger the following splat with list debug turned on:\n\n[ 59.279014][ T365] ------------[ cut here ]------------\n[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.\n[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220\n[ 59.280860][ T365] Modules linked in:\n[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)\n[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220\n[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 \u003c0f\u003e 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44\n...\n[ 59.288812][ T365] Call Trace:\n[ 59.289056][ T365] \u003cTASK\u003e\n[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80\n[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0\n[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10\n[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240\n[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10\n[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110\n[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0\n\nFix this by always checking and removing an ets class from the active list\nwhen changing it to strict.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:05.037Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2"
},
{
"url": "https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87"
},
{
"url": "https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa"
},
{
"url": "https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34"
},
{
"url": "https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f"
},
{
"url": "https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c"
},
{
"url": "https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70"
}
],
"title": "net/sched: ets: Remove drr class from the active list if it changes to strict",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68815",
"datePublished": "2026-01-13T15:29:19.789Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:05.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71140 (GCVE-0-2025-71140)
Vulnerability from cvelistv5
Published
2026-01-14 15:07
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Use spinlock for context list protection lock
Previously a mutex was added to protect the encoder and decoder context
lists from unexpected changes originating from the SCP IP block, causing
the context pointer to go invalid, resulting in a NULL pointer
dereference in the IPI handler.
Turns out on the MT8173, the VPU IPI handler is called from hard IRQ
context. This causes a big warning from the scheduler. This was first
reported downstream on the ChromeOS kernels, but is also reproducible
on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though
the actual capture format is not supported, the affected code paths
are triggered.
Since this lock just protects the context list and operations on it are
very fast, it should be OK to switch to a spinlock.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0a2dc707aa42214f9c4827bd57e344e29a0841d6 Version: 6467cda18c9f9b5f2f9a0aa1e2861c653e41f382 Version: 6467cda18c9f9b5f2f9a0aa1e2861c653e41f382 Version: 6467cda18c9f9b5f2f9a0aa1e2861c653e41f382 Version: 23aaf824121055ba81b55f75444355bd83c8eb38 Version: 41671f0c0182b2bae74ca7e3b0f155559e3e2fc5 Version: 51c84a8aac6e3b59af2b0e92ba63cabe2e641a2d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c",
"drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c",
"drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h",
"drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c",
"drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c",
"drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h",
"drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c1ea6214827041f548279c9eda341eda0cc8351",
"status": "affected",
"version": "0a2dc707aa42214f9c4827bd57e344e29a0841d6",
"versionType": "git"
},
{
"lessThan": "b92c19675f632a41af1222027a231bc2b7efa7ed",
"status": "affected",
"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382",
"versionType": "git"
},
{
"lessThan": "3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1",
"status": "affected",
"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382",
"versionType": "git"
},
{
"lessThan": "a5844227e0f030d2af2d85d4aed10c5eca6ca176",
"status": "affected",
"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382",
"versionType": "git"
},
{
"status": "affected",
"version": "23aaf824121055ba81b55f75444355bd83c8eb38",
"versionType": "git"
},
{
"status": "affected",
"version": "41671f0c0182b2bae74ca7e3b0f155559e3e2fc5",
"versionType": "git"
},
{
"status": "affected",
"version": "51c84a8aac6e3b59af2b0e92ba63cabe2e641a2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c",
"drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c",
"drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h",
"drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c",
"drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c",
"drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h",
"drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Use spinlock for context list protection lock\n\nPreviously a mutex was added to protect the encoder and decoder context\nlists from unexpected changes originating from the SCP IP block, causing\nthe context pointer to go invalid, resulting in a NULL pointer\ndereference in the IPI handler.\n\nTurns out on the MT8173, the VPU IPI handler is called from hard IRQ\ncontext. This causes a big warning from the scheduler. This was first\nreported downstream on the ChromeOS kernels, but is also reproducible\non mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though\nthe actual capture format is not supported, the affected code paths\nare triggered.\n\nSince this lock just protects the context list and operations on it are\nvery fast, it should be OK to switch to a spinlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:37.584Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351"
},
{
"url": "https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed"
},
{
"url": "https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1"
},
{
"url": "https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176"
}
],
"title": "media: mediatek: vcodec: Use spinlock for context list protection lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71140",
"datePublished": "2026-01-14T15:07:53.581Z",
"dateReserved": "2026-01-13T15:30:19.660Z",
"dateUpdated": "2026-02-09T08:35:37.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23090 (GCVE-0-2026-23090)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
slimbus: core: fix device reference leak on report present
Slimbus devices can be allocated dynamically upon reception of
report-present messages.
Make sure to drop the reference taken when looking up already registered
devices.
Note that this requires taking an extra reference in case the device has
not yet been registered and has to be allocated.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe Version: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe Version: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe Version: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe Version: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe Version: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe Version: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1217e40705b2f6d311c197b12866752656217ff",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "948615429c9f2ac9d25d4e1f1a4472926b217a9a",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "02b78bbfbafe49832e508079148cb87cdfa55825",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "6602bb4d1338e92b5838e50322b87697bdbd2ee0",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "9391380eb91ea5ac792aae9273535c8da5b9aa01",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: core: fix device reference leak on report present\n\nSlimbus devices can be allocated dynamically upon reception of\nreport-present messages.\n\nMake sure to drop the reference taken when looking up already registered\ndevices.\n\nNote that this requires taking an extra reference in case the device has\nnot yet been registered and has to be allocated."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:30.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1217e40705b2f6d311c197b12866752656217ff"
},
{
"url": "https://git.kernel.org/stable/c/948615429c9f2ac9d25d4e1f1a4472926b217a9a"
},
{
"url": "https://git.kernel.org/stable/c/02b78bbfbafe49832e508079148cb87cdfa55825"
},
{
"url": "https://git.kernel.org/stable/c/2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6"
},
{
"url": "https://git.kernel.org/stable/c/54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9"
},
{
"url": "https://git.kernel.org/stable/c/6602bb4d1338e92b5838e50322b87697bdbd2ee0"
},
{
"url": "https://git.kernel.org/stable/c/9391380eb91ea5ac792aae9273535c8da5b9aa01"
}
],
"title": "slimbus: core: fix device reference leak on report present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23090",
"datePublished": "2026-02-04T16:08:13.438Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-09T08:38:30.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68289 (GCVE-0-2025-68289)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_eem: Fix memory leak in eem_unwrap
The existing code did not handle the failure case of usb_ep_queue in the
command path, potentially leading to memory leaks.
Improve error handling to free all allocated resources on usb_ep_queue
failure. This patch continues to use goto logic for error handling, as the
existing error handling is complex and not easily adaptable to auto-cleanup
helpers.
kmemleak results:
unreferenced object 0xffffff895a512300 (size 240):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
kmem_cache_alloc+0x1b4/0x358
skb_clone+0x90/0xd8
eem_unwrap+0x1cc/0x36c
unreferenced object 0xffffff8a157f4000 (size 256):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
dwc3_gadget_ep_alloc_request+0x58/0x11c
usb_ep_alloc_request+0x40/0xe4
eem_unwrap+0x204/0x36c
unreferenced object 0xffffff8aadbaac00 (size 128):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
__kmalloc+0x64/0x1a8
eem_unwrap+0x218/0x36c
unreferenced object 0xffffff89ccef3500 (size 64):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
eem_unwrap+0x238/0x36c
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3b545788505b2e2883aff13bdddeacaf88942a4f Version: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Version: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Version: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Version: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Version: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Version: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Version: d55a236f1bab102e353ea5abb7b7b6ff7e847294 Version: 8e275d3d5915a8f7db3786e3f84534bb48245f4c Version: 3680a6ff9a9ccd3c664663da04bef2534397d591 Version: d654be97e1b679616e3337b871a9ec8f31a88841 Version: 8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9 Version: 77d7f071883cf2921a7547f82e41f15f7f860e35 Version: a55093941e38113dd6f5f5d5d2705fec3018f332 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_eem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9985a88b2fc29fbe1657fe8518908e261d6889c",
"status": "affected",
"version": "3b545788505b2e2883aff13bdddeacaf88942a4f",
"versionType": "git"
},
{
"lessThan": "5a1628283cd9dccf1e44acfb74e77504f4dc7472",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "0ac07e476944a5e4c2b8b087dd167dec248c1bdf",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "41434488ca714ab15cb2a4d0378418d1be8052d2",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "e72c963177c708a167a7e17ed6c76320815157cf",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "0dea2e0069a7e9aa034696f8065945b7be6dd6b7",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "e4f5ce990818d37930cd9fb0be29eee0553c59d9",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"status": "affected",
"version": "d55a236f1bab102e353ea5abb7b7b6ff7e847294",
"versionType": "git"
},
{
"status": "affected",
"version": "8e275d3d5915a8f7db3786e3f84534bb48245f4c",
"versionType": "git"
},
{
"status": "affected",
"version": "3680a6ff9a9ccd3c664663da04bef2534397d591",
"versionType": "git"
},
{
"status": "affected",
"version": "d654be97e1b679616e3337b871a9ec8f31a88841",
"versionType": "git"
},
{
"status": "affected",
"version": "8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9",
"versionType": "git"
},
{
"status": "affected",
"version": "77d7f071883cf2921a7547f82e41f15f7f860e35",
"versionType": "git"
},
{
"status": "affected",
"version": "a55093941e38113dd6f5f5d5d2705fec3018f332",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_eem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.132",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_eem: Fix memory leak in eem_unwrap\n\nThe existing code did not handle the failure case of usb_ep_queue in the\ncommand path, potentially leading to memory leaks.\n\nImprove error handling to free all allocated resources on usb_ep_queue\nfailure. This patch continues to use goto logic for error handling, as the\nexisting error handling is complex and not easily adaptable to auto-cleanup\nhelpers.\n\nkmemleak results:\n unreferenced object 0xffffff895a512300 (size 240):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n kmem_cache_alloc+0x1b4/0x358\n skb_clone+0x90/0xd8\n eem_unwrap+0x1cc/0x36c\n unreferenced object 0xffffff8a157f4000 (size 256):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n kmalloc_trace+0x48/0x140\n dwc3_gadget_ep_alloc_request+0x58/0x11c\n usb_ep_alloc_request+0x40/0xe4\n eem_unwrap+0x204/0x36c\n unreferenced object 0xffffff8aadbaac00 (size 128):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n __kmalloc+0x64/0x1a8\n eem_unwrap+0x218/0x36c\n unreferenced object 0xffffff89ccef3500 (size 64):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n kmalloc_trace+0x48/0x140\n eem_unwrap+0x238/0x36c"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:10.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9985a88b2fc29fbe1657fe8518908e261d6889c"
},
{
"url": "https://git.kernel.org/stable/c/5a1628283cd9dccf1e44acfb74e77504f4dc7472"
},
{
"url": "https://git.kernel.org/stable/c/0ac07e476944a5e4c2b8b087dd167dec248c1bdf"
},
{
"url": "https://git.kernel.org/stable/c/41434488ca714ab15cb2a4d0378418d1be8052d2"
},
{
"url": "https://git.kernel.org/stable/c/e72c963177c708a167a7e17ed6c76320815157cf"
},
{
"url": "https://git.kernel.org/stable/c/0dea2e0069a7e9aa034696f8065945b7be6dd6b7"
},
{
"url": "https://git.kernel.org/stable/c/e4f5ce990818d37930cd9fb0be29eee0553c59d9"
}
],
"title": "usb: gadget: f_eem: Fix memory leak in eem_unwrap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68289",
"datePublished": "2025-12-16T15:06:10.450Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:10.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68798 (GCVE-0-2025-68798)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/amd: Check event before enable to avoid GPF
On AMD machines cpuc->events[idx] can become NULL in a subtle race
condition with NMI->throttle->x86_pmu_stop().
Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.
This appears to be an AMD only issue.
Syzkaller reported a GPF in amd_pmu_enable_all.
INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143
msecs
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]
CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk
RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195
arch/x86/events/core.c:1430)
RSP: 0018:ffff888118009d60 EFLAGS: 00010012
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601
FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0
Call Trace:
<IRQ>
amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))
x86_pmu_enable (arch/x86/events/core.c:1360)
event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186
kernel/events/core.c:2346)
__perf_remove_from_context (kernel/events/core.c:2435)
event_function (kernel/events/core.c:259)
remote_function (kernel/events/core.c:92 (discriminator 1)
kernel/events/core.c:72 (discriminator 1))
__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64
kernel/smp.c:135 kernel/smp.c:540)
__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207
./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)
sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)
arch/x86/kernel/smp.c:266 (discriminator 47))
</IRQ>
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49324a0c40f7e9bae1bd0362d23fc42232e14621",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "e1028fb38b328084bc683a4efb001c95d3108573",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "43c2e5c2acaae50e99d1c20a5a46e367c442fb3b",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "866cf36bfee4fba6a492d2dcc5133f857e3446b0",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: Check event before enable to avoid GPF\n\nOn AMD machines cpuc-\u003eevents[idx] can become NULL in a subtle race\ncondition with NMI-\u003ethrottle-\u003ex86_pmu_stop().\n\nCheck event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.\nThis appears to be an AMD only issue.\n\nSyzkaller reported a GPF in amd_pmu_enable_all.\n\nINFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143\n msecs\nOops: general protection fault, probably for non-canonical address\n 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]\nCPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk\nRIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195\n arch/x86/events/core.c:1430)\nRSP: 0018:ffff888118009d60 EFLAGS: 00010012\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002\nR13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601\nFS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0\nCall Trace:\n \u003cIRQ\u003e\namd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))\nx86_pmu_enable (arch/x86/events/core.c:1360)\nevent_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186\n kernel/events/core.c:2346)\n__perf_remove_from_context (kernel/events/core.c:2435)\nevent_function (kernel/events/core.c:259)\nremote_function (kernel/events/core.c:92 (discriminator 1)\n kernel/events/core.c:72 (discriminator 1))\n__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64\n kernel/smp.c:135 kernel/smp.c:540)\n__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207\n ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)\nsysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)\n arch/x86/kernel/smp.c:266 (discriminator 47))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:46.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49324a0c40f7e9bae1bd0362d23fc42232e14621"
},
{
"url": "https://git.kernel.org/stable/c/6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f"
},
{
"url": "https://git.kernel.org/stable/c/e1028fb38b328084bc683a4efb001c95d3108573"
},
{
"url": "https://git.kernel.org/stable/c/43c2e5c2acaae50e99d1c20a5a46e367c442fb3b"
},
{
"url": "https://git.kernel.org/stable/c/866cf36bfee4fba6a492d2dcc5133f857e3446b0"
}
],
"title": "perf/x86/amd: Check event before enable to avoid GPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68798",
"datePublished": "2026-01-13T15:29:08.329Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-02-09T08:33:46.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39988 (GCVE-0-2025-39988)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the etas_es58x driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, es58x_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN(FD)
frame.
This can result in a buffer overflow. For example, using the es581.4
variant, the frame will be dispatched to es581_4_tx_can_msg(), go
through the last check at the beginning of this function:
if (can_is_canfd_skb(skb))
return -EMSGSIZE;
and reach this line:
memcpy(tx_can_msg->data, cf->data, cf->len);
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU or
CANFD_MTU (depending on the device capabilities). By fixing the root
cause, this prevents the buffer overflow.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b Version: 8537257874e949a59c834cecfd5a063e11b64b0b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72de0facc50afdb101fb7197d880407f1abfc77f",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "c4e582e686c4d683c87f2b4a316385b3d81d370f",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "cbc1de71766f326a44bb798aeae4a7ef4a081cc9",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "b26cccd87dcddc47b450a40f3b1ac3fe346efcff",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "e587af2c89ecc6382c518febea52fa9ba81e47c0",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "38c0abad45b190a30d8284a37264d2127a6ec303",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the etas_es58x driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, es58x_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN(FD)\nframe.\n\nThis can result in a buffer overflow. For example, using the es581.4\nvariant, the frame will be dispatched to es581_4_tx_can_msg(), go\nthrough the last check at the beginning of this function:\n\n\tif (can_is_canfd_skb(skb))\n\t\treturn -EMSGSIZE;\n\nand reach this line:\n\n\tmemcpy(tx_can_msg-\u003edata, cf-\u003edata, cf-\u003elen);\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU or\nCANFD_MTU (depending on the device capabilities). By fixing the root\ncause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:06.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72de0facc50afdb101fb7197d880407f1abfc77f"
},
{
"url": "https://git.kernel.org/stable/c/c4e582e686c4d683c87f2b4a316385b3d81d370f"
},
{
"url": "https://git.kernel.org/stable/c/cbc1de71766f326a44bb798aeae4a7ef4a081cc9"
},
{
"url": "https://git.kernel.org/stable/c/b26cccd87dcddc47b450a40f3b1ac3fe346efcff"
},
{
"url": "https://git.kernel.org/stable/c/e587af2c89ecc6382c518febea52fa9ba81e47c0"
},
{
"url": "https://git.kernel.org/stable/c/38c0abad45b190a30d8284a37264d2127a6ec303"
}
],
"title": "can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39988",
"datePublished": "2025-10-15T07:56:06.601Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:06.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37354 (GCVE-0-2024-37354)
Vulnerability from cvelistv5
Published
2024-06-25 14:22
Modified
2026-01-05 10:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix crash on racing fsync and size-extending write into prealloc
We have been seeing crashes on duplicate keys in
btrfs_set_item_key_safe():
BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)
------------[ cut here ]------------
kernel BUG at fs/btrfs/ctree.c:2620!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]
With the following stack trace:
#0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)
#1 btrfs_drop_extents (fs/btrfs/file.c:411:4)
#2 log_one_extent (fs/btrfs/tree-log.c:4732:9)
#3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)
#4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)
#5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)
#6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)
#7 btrfs_sync_file (fs/btrfs/file.c:1933:8)
#8 vfs_fsync_range (fs/sync.c:188:9)
#9 vfs_fsync (fs/sync.c:202:9)
#10 do_fsync (fs/sync.c:212:9)
#11 __do_sys_fdatasync (fs/sync.c:225:9)
#12 __se_sys_fdatasync (fs/sync.c:223:1)
#13 __x64_sys_fdatasync (fs/sync.c:223:1)
#14 do_syscall_x64 (arch/x86/entry/common.c:52:14)
#15 do_syscall_64 (arch/x86/entry/common.c:83:7)
#16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)
So we're logging a changed extent from fsync, which is splitting an
extent in the log tree. But this split part already exists in the tree,
triggering the BUG().
This is the state of the log tree at the time of the crash, dumped with
drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)
to get more details than btrfs_print_leaf() gives us:
>>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"])
leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610
leaf 33439744 flags 0x100000000000000
fs uuid e5bd3946-400c-4223-8923-190ef1f18677
chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da
item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160
generation 7 transid 9 size 8192 nbytes 8473563889606862198
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 204 flags 0x10(PREALLOC)
atime 1716417703.220000000 (2024-05-22 15:41:43)
ctime 1716417704.983333333 (2024-05-22 15:41:44)
mtime 1716417704.983333333 (2024-05-22 15:41:44)
otime 17592186044416.000000000 (559444-03-08 01:40:16)
item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13
index 195 namelen 3 name: 193
item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37
location key (0 UNKNOWN.0 0) type XATTR
transid 7 data_len 1 name_len 6
name: user.a
data a
item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53
generation 9 type 1 (regular)
extent data disk byte 303144960 nr 12288
extent data offset 0 nr 4096 ram 12288
extent compression 0 (none)
item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 4096 nr 8192
item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 8192 nr 4096
...
So the real problem happened earlier: notice that items 4 (4k-12k) and 5
(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and
item 5 starts at i_size.
Here is the state of
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 31d11b83b96faaee4bb514d375a09489117c3e8d Version: 31d11b83b96faaee4bb514d375a09489117c3e8d Version: 31d11b83b96faaee4bb514d375a09489117c3e8d Version: 31d11b83b96faaee4bb514d375a09489117c3e8d Version: 31d11b83b96faaee4bb514d375a09489117c3e8d Version: 61a9f6b7fe0ca9706b49a23cecf5f9a9c802b6ce |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37354",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T15:43:24.537360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T15:43:32.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c993fd02ba471e296ca1996f13626fc917120158",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"lessThan": "1ff2bd566fbcefcb892be85c493bdb92b911c428",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"lessThan": "3d08c52ba1887a1ff9c179d4b6a18b427bcb2097",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"lessThan": "f4e5ed974876c14d3623e04dc43d3e3281bc6011",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"lessThan": "9d274c19a71b3a276949933859610721a453946b",
"status": "affected",
"version": "31d11b83b96faaee4bb514d375a09489117c3e8d",
"versionType": "git"
},
{
"status": "affected",
"version": "61a9f6b7fe0ca9706b49a23cecf5f9a9c802b6ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.94",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.34",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.5",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.57",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we\u0027re logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n \u003e\u003e\u003e print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:36:37.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c993fd02ba471e296ca1996f13626fc917120158"
},
{
"url": "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428"
},
{
"url": "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097"
},
{
"url": "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011"
},
{
"url": "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b"
}
],
"title": "btrfs: fix crash on racing fsync and size-extending write into prealloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-37354",
"datePublished": "2024-06-25T14:22:36.228Z",
"dateReserved": "2024-06-24T13:53:25.569Z",
"dateUpdated": "2026-01-05T10:36:37.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68786 (GCVE-0-2025-68786)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: skip lock-range check on equal size to avoid size==0 underflow
When size equals the current i_size (including 0), the code used to call
check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`
and can underflow for size==0. Skip the equal case.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52fcbb92e0d3acfd1448b2a43b6595d540da5295",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "da29cd197246c85c0473259f1cad897d9d28faea",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "a6f4cfa3783804336491e0edcb250c25f9b59d33",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "571204e4758a528fbd67330bd4b0dfbdafb33dd8",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "5d510ac31626ed157d2182149559430350cf2104",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: skip lock-range check on equal size to avoid size==0 underflow\n\nWhen size equals the current i_size (including 0), the code used to call\ncheck_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`\nand can underflow for size==0. Skip the equal case."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:32.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52fcbb92e0d3acfd1448b2a43b6595d540da5295"
},
{
"url": "https://git.kernel.org/stable/c/da29cd197246c85c0473259f1cad897d9d28faea"
},
{
"url": "https://git.kernel.org/stable/c/a6f4cfa3783804336491e0edcb250c25f9b59d33"
},
{
"url": "https://git.kernel.org/stable/c/571204e4758a528fbd67330bd4b0dfbdafb33dd8"
},
{
"url": "https://git.kernel.org/stable/c/5d510ac31626ed157d2182149559430350cf2104"
}
],
"title": "ksmbd: skip lock-range check on equal size to avoid size==0 underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68786",
"datePublished": "2026-01-13T15:28:59.578Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:32.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40179 (GCVE-0-2025-40179)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: verify orphan file size is not too big
In principle orphan file can be arbitrarily large. However orphan replay
needs to traverse it all and we also pin all its buffers in memory. Thus
filesystems with absurdly large orphan files can lead to big amounts of
memory consumed. Limit orphan file size to a sane value and also use
kvmalloc() for allocating array of block descriptor structures to avoid
large order allocations for sane but large orphan files.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 Version: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 Version: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 Version: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 Version: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 Version: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/orphan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95a21611b14ae0a401720645245a8db16f040995",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "566a1d6084563bd07433025aa23bcea4427de107",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "304fc34ff6fc8261138fd81f119e024ac3a129e9",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "a2d803fab8a6c6a874277cb80156dc114db91921",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "2b9da798ff0f4d026c5f0f815047393ebe7d8859",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "0a6ce20c156442a4ce2a404747bb0fb05d54eeb3",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/orphan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: verify orphan file size is not too big\n\nIn principle orphan file can be arbitrarily large. However orphan replay\nneeds to traverse it all and we also pin all its buffers in memory. Thus\nfilesystems with absurdly large orphan files can lead to big amounts of\nmemory consumed. Limit orphan file size to a sane value and also use\nkvmalloc() for allocating array of block descriptor structures to avoid\nlarge order allocations for sane but large orphan files."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:35.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95a21611b14ae0a401720645245a8db16f040995"
},
{
"url": "https://git.kernel.org/stable/c/566a1d6084563bd07433025aa23bcea4427de107"
},
{
"url": "https://git.kernel.org/stable/c/304fc34ff6fc8261138fd81f119e024ac3a129e9"
},
{
"url": "https://git.kernel.org/stable/c/a2d803fab8a6c6a874277cb80156dc114db91921"
},
{
"url": "https://git.kernel.org/stable/c/2b9da798ff0f4d026c5f0f815047393ebe7d8859"
},
{
"url": "https://git.kernel.org/stable/c/0a6ce20c156442a4ce2a404747bb0fb05d54eeb3"
}
],
"title": "ext4: verify orphan file size is not too big",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40179",
"datePublished": "2025-11-12T21:56:24.882Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:35.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68806 (GCVE-0-2025-68806)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix buffer validation by including null terminator size in EA length
The smb2_set_ea function, which handles Extended Attributes (EA),
was performing buffer validation checks that incorrectly omitted the size
of the null terminating character (+1 byte) for EA Name.
This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where
the null terminator is expected to be present in the buffer, ensuring
the validation accurately reflects the total required buffer size.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d070c4dd2a5bed4e9832eec5b6c029c7d14892ea Version: 0ba5439d9afa2722e7728df56f272c89987540a4 Version: 0ba5439d9afa2722e7728df56f272c89987540a4 Version: 0ba5439d9afa2722e7728df56f272c89987540a4 Version: 0ba5439d9afa2722e7728df56f272c89987540a4 Version: bb5bf157b5be1643cccc7cbbe57fcdef9ae52c2c Version: 1a13ecb96230e8b7b91967e292836f7b01ec8111 Version: 404e7c01e16288b5e0171d1d8fd3328e806d0794 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cae52c592a07e1d3fa3338a5f064a374a5f26750",
"status": "affected",
"version": "d070c4dd2a5bed4e9832eec5b6c029c7d14892ea",
"versionType": "git"
},
{
"lessThan": "a28a375a5439eb474e9f284509a407efb479c925",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "d26af6d14da43ab92d07bc60437c62901dc522e6",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "95d7a890e4b03e198836d49d699408fd1867cb55",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"status": "affected",
"version": "bb5bf157b5be1643cccc7cbbe57fcdef9ae52c2c",
"versionType": "git"
},
{
"status": "affected",
"version": "1a13ecb96230e8b7b91967e292836f7b01ec8111",
"versionType": "git"
},
{
"status": "affected",
"version": "404e7c01e16288b5e0171d1d8fd3328e806d0794",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix buffer validation by including null terminator size in EA length\n\nThe smb2_set_ea function, which handles Extended Attributes (EA),\nwas performing buffer validation checks that incorrectly omitted the size\nof the null terminating character (+1 byte) for EA Name.\nThis patch fixes the issue by explicitly adding \u0027+ 1\u0027 to EaNameLength where\nthe null terminator is expected to be present in the buffer, ensuring\nthe validation accurately reflects the total required buffer size."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:55.158Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cae52c592a07e1d3fa3338a5f064a374a5f26750"
},
{
"url": "https://git.kernel.org/stable/c/a28a375a5439eb474e9f284509a407efb479c925"
},
{
"url": "https://git.kernel.org/stable/c/d26af6d14da43ab92d07bc60437c62901dc522e6"
},
{
"url": "https://git.kernel.org/stable/c/6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4"
},
{
"url": "https://git.kernel.org/stable/c/95d7a890e4b03e198836d49d699408fd1867cb55"
}
],
"title": "ksmbd: fix buffer validation by including null terminator size in EA length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68806",
"datePublished": "2026-01-13T15:29:13.797Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-02-09T08:33:55.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71071 (GCVE-0-2025-71071)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: fix use-after-free on probe deferral
The driver is dropping the references taken to the larb devices during
probe after successful lookup as well as on errors. This can
potentially lead to a use-after-free in case a larb device has not yet
been bound to its driver so that the iommu driver probe defers.
Fix this by keeping the references as expected while the iommu driver is
bound.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8412e5dd24ffc8bc21a00bfaa0b80d4596cdc9da Version: 26593928564cf5b576ff05d3cbd958f57c9534bb Version: 26593928564cf5b576ff05d3cbd958f57c9534bb Version: 26593928564cf5b576ff05d3cbd958f57c9534bb Version: 26593928564cf5b576ff05d3cbd958f57c9534bb Version: 51080de72e26771f0ed9d44982974279ccbc92b8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "896ec55da3b90bdb9fc04fedc17ad8c359b2eee5",
"status": "affected",
"version": "8412e5dd24ffc8bc21a00bfaa0b80d4596cdc9da",
"versionType": "git"
},
{
"lessThan": "5c04217d06a1161aaf36267e9d971ab6f847d5a7",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "1ef70a0b104ae8011811f60bcfaa55ff49385171",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "de83d4617f9fe059623e97acf7e1e10d209625b5",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"status": "affected",
"version": "51080de72e26771f0ed9d44982974279ccbc92b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: fix use-after-free on probe deferral\n\nThe driver is dropping the references taken to the larb devices during\nprobe after successful lookup as well as on errors. This can\npotentially lead to a use-after-free in case a larb device has not yet\nbeen bound to its driver so that the iommu driver probe defers.\n\nFix this by keeping the references as expected while the iommu driver is\nbound."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:21.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5"
},
{
"url": "https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7"
},
{
"url": "https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171"
},
{
"url": "https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a"
},
{
"url": "https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5"
}
],
"title": "iommu/mediatek: fix use-after-free on probe deferral",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71071",
"datePublished": "2026-01-13T15:31:25.400Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:21.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68347 (GCVE-0-2025-68347)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
The DSP event handling code in hwdep_read() could write more bytes to
the user buffer than requested, when a user provides a buffer smaller
than the event header size (8 bytes).
Fix by using min_t() to clamp the copy size, This ensures we never copy
more than the user requested.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 Version: 634ec0b2906efd46f6f57977e172aa3470aca432 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16620f0617400746984362c3d6ac547eeae1d35f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6275fd726d53a8ec724f20201cf3bd862711e17b",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "161291bac551821bba98eb4ea84c82338578d1b0",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "cdda0d06f8650e33255f79839f188bbece44117c",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "210d77cca3d0494ed30a5c628b20c1d95fa04fb1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events\n\nThe DSP event handling code in hwdep_read() could write more bytes to\nthe user buffer than requested, when a user provides a buffer smaller\nthan the event header size (8 bytes).\n\nFix by using min_t() to clamp the copy size, This ensures we never copy\nmore than the user requested."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:36.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16620f0617400746984362c3d6ac547eeae1d35f"
},
{
"url": "https://git.kernel.org/stable/c/ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe"
},
{
"url": "https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b"
},
{
"url": "https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0"
},
{
"url": "https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c"
},
{
"url": "https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1"
}
],
"title": "ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68347",
"datePublished": "2025-12-24T10:32:39.804Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-02-09T08:31:36.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22121 (GCVE-0-2025-22121)
Vulnerability from cvelistv5
Published
2025-04-16 14:13
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
There's issue as follows:
BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
CPU: 3 PID: 15172 Comm: syz-executor.0
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0xbe/0xfd lib/dump_stack.c:123
print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
evict+0x39f/0x880 fs/inode.c:622
iput_final fs/inode.c:1746 [inline]
iput fs/inode.c:1772 [inline]
iput+0x525/0x6c0 fs/inode.c:1758
ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
mount_bdev+0x355/0x410 fs/super.c:1446
legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
do_new_mount fs/namespace.c:2983 [inline]
path_mount+0x119a/0x1ad0 fs/namespace.c:3316
do_mount+0xfc/0x110 fs/namespace.c:3329
__do_sys_mount fs/namespace.c:3540 [inline]
__se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Memory state around the buggy address:
ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Above issue happens as ext4_xattr_delete_inode() isn't check xattr
is valid if xattr is in inode.
To solve above issue call xattr_check_inode() check if xattr if valid
in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
so that there is no divergent verification.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e50e5129f384ae282adebfb561189cdb19b81cee Version: e50e5129f384ae282adebfb561189cdb19b81cee Version: e50e5129f384ae282adebfb561189cdb19b81cee Version: e50e5129f384ae282adebfb561189cdb19b81cee Version: e50e5129f384ae282adebfb561189cdb19b81cee Version: e50e5129f384ae282adebfb561189cdb19b81cee Version: e50e5129f384ae282adebfb561189cdb19b81cee |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c",
"fs/ext4/xattr.c",
"fs/ext4/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27202452b0bc942fdc3db72a44c4dcdab96d5b56",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "b374e9ecc92aaa7fb2ab221ee3ff5451118ab566",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "c000a8a9b5343a5ef867df173c6349672dacbd0f",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "3c591353956ffcace2cc74d09930774afed60619",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "098927a13fd918bd7c64c2de905350a1ad7b4a3a",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "5701875f9609b000d91351eaa6bfd97fe2f157f4",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c",
"fs/ext4/xattr.c",
"fs/ext4/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()\n\nThere\u0027s issue as follows:\nBUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790\nRead of size 4 at addr ffff88807b003000 by task syz-executor.0/15172\n\nCPU: 3 PID: 15172 Comm: syz-executor.0\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0xbe/0xfd lib/dump_stack.c:123\n print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137\n ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896\n ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323\n evict+0x39f/0x880 fs/inode.c:622\n iput_final fs/inode.c:1746 [inline]\n iput fs/inode.c:1772 [inline]\n iput+0x525/0x6c0 fs/inode.c:1758\n ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]\n ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300\n mount_bdev+0x355/0x410 fs/super.c:1446\n legacy_get_tree+0xfe/0x220 fs/fs_context.c:611\n vfs_get_tree+0x8d/0x2f0 fs/super.c:1576\n do_new_mount fs/namespace.c:2983 [inline]\n path_mount+0x119a/0x1ad0 fs/namespace.c:3316\n do_mount+0xfc/0x110 fs/namespace.c:3329\n __do_sys_mount fs/namespace.c:3540 [inline]\n __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nMemory state around the buggy address:\n ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAbove issue happens as ext4_xattr_delete_inode() isn\u0027t check xattr\nis valid if xattr is in inode.\nTo solve above issue call xattr_check_inode() check if xattr if valid\nin inode. In fact, we can directly verify in ext4_iget_extra_inode(),\nso that there is no divergent verification."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:55.783Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27202452b0bc942fdc3db72a44c4dcdab96d5b56"
},
{
"url": "https://git.kernel.org/stable/c/b374e9ecc92aaa7fb2ab221ee3ff5451118ab566"
},
{
"url": "https://git.kernel.org/stable/c/c000a8a9b5343a5ef867df173c6349672dacbd0f"
},
{
"url": "https://git.kernel.org/stable/c/3c591353956ffcace2cc74d09930774afed60619"
},
{
"url": "https://git.kernel.org/stable/c/098927a13fd918bd7c64c2de905350a1ad7b4a3a"
},
{
"url": "https://git.kernel.org/stable/c/0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8"
},
{
"url": "https://git.kernel.org/stable/c/5701875f9609b000d91351eaa6bfd97fe2f157f4"
}
],
"title": "ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22121",
"datePublished": "2025-04-16T14:13:05.894Z",
"dateReserved": "2024-12-29T08:45:45.823Z",
"dateUpdated": "2026-01-19T12:17:55.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40275 (GCVE-0-2025-40275)
Vulnerability from cvelistv5
Published
2025-12-06 21:50
Modified
2025-12-06 21:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
In snd_usb_create_streams(), for UAC version 3 devices, the Interface
Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this
call fails, a fallback routine attempts to obtain the IAD from the next
interface and sets a BADD profile. However, snd_usb_mixer_controls_badd()
assumes that the IAD retrieved from usb_ifnum_to_if() is always valid,
without performing a NULL check. This can lead to a NULL pointer
dereference when usb_ifnum_to_if() fails to find the interface descriptor.
This patch adds a NULL pointer check after calling usb_ifnum_to_if() in
snd_usb_mixer_controls_badd() to prevent the dereference.
This issue was discovered by syzkaller, which triggered the bug by sending
a crafted USB device descriptor.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 17156f23e93c0f59e06dd2aaffd06221341caaee Version: 17156f23e93c0f59e06dd2aaffd06221341caaee Version: 17156f23e93c0f59e06dd2aaffd06221341caaee Version: 17156f23e93c0f59e06dd2aaffd06221341caaee Version: 17156f23e93c0f59e06dd2aaffd06221341caaee Version: 17156f23e93c0f59e06dd2aaffd06221341caaee Version: 17156f23e93c0f59e06dd2aaffd06221341caaee Version: 17156f23e93c0f59e06dd2aaffd06221341caaee |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "9f282104627be5fbded3102ff9004f753c55a063",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "2762d3ea9c929ca4094541ca517c317ffa94625b",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "57f607c112966c21240c424b33e2cb71e121dcf0",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "cbdbfc756f2990942138ed0138da9303b4dbf9ff",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "85568535893600024d7d8794f4f8b6428b521e0c",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "632108ec072ad64c8c83db6e16a7efee29ebfb74",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd\n\nIn snd_usb_create_streams(), for UAC version 3 devices, the Interface\nAssociation Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this\ncall fails, a fallback routine attempts to obtain the IAD from the next\ninterface and sets a BADD profile. However, snd_usb_mixer_controls_badd()\nassumes that the IAD retrieved from usb_ifnum_to_if() is always valid,\nwithout performing a NULL check. This can lead to a NULL pointer\ndereference when usb_ifnum_to_if() fails to find the interface descriptor.\n\nThis patch adds a NULL pointer check after calling usb_ifnum_to_if() in\nsnd_usb_mixer_controls_badd() to prevent the dereference.\n\nThis issue was discovered by syzkaller, which triggered the bug by sending\na crafted USB device descriptor."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:57.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4"
},
{
"url": "https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6"
},
{
"url": "https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063"
},
{
"url": "https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b"
},
{
"url": "https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0"
},
{
"url": "https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff"
},
{
"url": "https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c"
},
{
"url": "https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74"
}
],
"title": "ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40275",
"datePublished": "2025-12-06T21:50:57.914Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:50:57.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39985 (GCVE-0-2025-39985)
Vulnerability from cvelistv5
Published
2025-10-15 07:56
Modified
2025-10-15 07:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the mcba_usb driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to inject a malicious CAN XL frames. For example:
struct canxl_frame frame = {
.flags = 0xff,
.len = 2048,
};
The CAN drivers' xmit() function are calling can_dev_dropped_skb() to
check that the skb is valid, unfortunately under above conditions, the
malicious packet is able to go through can_dev_dropped_skb() checks:
1. the skb->protocol is set to ETH_P_CANXL which is valid (the
function does not check the actual device capabilities).
2. the length is a valid CAN XL length.
And so, mcba_usb_start_xmit() receives a CAN XL frame which it is not
able to correctly handle and will thus misinterpret it as a CAN frame.
This can result in a buffer overflow. The driver will consume cf->len
as-is with no further checks on these lines:
usb_msg.dlc = cf->len;
memcpy(usb_msg.data, cf->data, usb_msg.dlc);
Here, cf->len corresponds to the flags field of the CAN XL frame. In
our previous example, we set canxl_frame->flags to 0xff. Because the
maximum expected length is 8, a buffer overflow of 247 bytes occurs!
Populate net_device_ops->ndo_change_mtu() to ensure that the
interface's MTU can not be set to anything bigger than CAN_MTU. By
fixing the root cause, this prevents the buffer overflow.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fa9303c4b9493727e0d3a6ac3729300e3013930",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "37aed407496bf6de8910e588edb04d2435fa7011",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "6eec67bfb25637f9b51e584cf59ddace59925bc8",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "3664ae91b26d1fd7e4cee9cde17301361f4c89d5",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "6b9fb82df8868dbe9ffea5874b8d35f951faedbb",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "b638c3fb0f163e69785ceddb3b434a9437878bec",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb-\u003elen fits the interface\u0027s MTU.\n\nUnfortunately, because the mcba_usb driver does not populate its\nnet_device_ops-\u003endo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers\u0027 xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb-\u003eprotocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, mcba_usb_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN frame.\n\nThis can result in a buffer overflow. The driver will consume cf-\u003elen\nas-is with no further checks on these lines:\n\n\tusb_msg.dlc = cf-\u003elen;\n\n\tmemcpy(usb_msg.data, cf-\u003edata, usb_msg.dlc);\n\nHere, cf-\u003elen corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame-\u003eflags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs!\n\nPopulate net_device_ops-\u003endo_change_mtu() to ensure that the\ninterface\u0027s MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:56:04.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fa9303c4b9493727e0d3a6ac3729300e3013930"
},
{
"url": "https://git.kernel.org/stable/c/37aed407496bf6de8910e588edb04d2435fa7011"
},
{
"url": "https://git.kernel.org/stable/c/6eec67bfb25637f9b51e584cf59ddace59925bc8"
},
{
"url": "https://git.kernel.org/stable/c/ca4e51359608e1f29bf1f2c33c3ddf775b6b7ed1"
},
{
"url": "https://git.kernel.org/stable/c/3664ae91b26d1fd7e4cee9cde17301361f4c89d5"
},
{
"url": "https://git.kernel.org/stable/c/6b9fb82df8868dbe9ffea5874b8d35f951faedbb"
},
{
"url": "https://git.kernel.org/stable/c/b638c3fb0f163e69785ceddb3b434a9437878bec"
},
{
"url": "https://git.kernel.org/stable/c/17c8d794527f01def0d1c8b7dc2d7b8d34fed0e6"
}
],
"title": "can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39985",
"datePublished": "2025-10-15T07:56:04.439Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:56:04.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40313 (GCVE-0-2025-40313)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2025-12-20 08:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: pretend $Extend records as regular files
Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()")
requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/
S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63eb6730ce0604d3eacf036c2f68ea70b068317c",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "78d46f5276ed3589aaaa435580068c5b62efc921",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "17249b2a65274f73ed68bcd1604e08a60fd8a278",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "57534db1bbc4ca772393bb7d92e69d5e7b9051cf",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "4e8011ffec79717e5fdac43a7e79faf811a384b7",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: pretend $Extend records as regular files\n\nSince commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\")\nrequires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/\nS_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:02.840Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63eb6730ce0604d3eacf036c2f68ea70b068317c"
},
{
"url": "https://git.kernel.org/stable/c/78d46f5276ed3589aaaa435580068c5b62efc921"
},
{
"url": "https://git.kernel.org/stable/c/17249b2a65274f73ed68bcd1604e08a60fd8a278"
},
{
"url": "https://git.kernel.org/stable/c/37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7"
},
{
"url": "https://git.kernel.org/stable/c/57534db1bbc4ca772393bb7d92e69d5e7b9051cf"
},
{
"url": "https://git.kernel.org/stable/c/4e8011ffec79717e5fdac43a7e79faf811a384b7"
}
],
"title": "ntfs3: pretend $Extend records as regular files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40313",
"datePublished": "2025-12-08T00:46:39.444Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:52:02.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68312 (GCVE-0-2025-68312)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Prevents free active kevent
The root cause of this issue are:
1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
put the kevent work in global workqueue. However, the kevent has not yet
been scheduled when the usbnet device is unregistered. Therefore, executing
free_netdev() results in the "free active object (kevent)" error reported
here.
2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
However, because the device is not up, ndo_stop() is not executed.
The solution to this problem is to cancel the kevent before executing
free_netdev().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8b4588b8b00b299be16a35be67b331d8fdba03f3 Version: 135199a2edd459d2b123144efcd7f9bcd95128e4 Version: 635fd8953e4309b54ca6a81bed1d4a87668694f4 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: d2d6b530d89b0a912148018027386aa049f0a309 Version: e2a521a7dcc463c5017b4426ca0804e151faeff7 Version: 7f77dcbc030c2faa6d8e8a594985eeb34018409e Version: d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f Version: db3b738ae5f726204876f4303c49cfdf4311403f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "285d4b953f2ca03c358f986718dd89ee9bde632e",
"status": "affected",
"version": "8b4588b8b00b299be16a35be67b331d8fdba03f3",
"versionType": "git"
},
{
"lessThan": "88a38b135d69f5db9024ff6527232f1b51be8915",
"status": "affected",
"version": "135199a2edd459d2b123144efcd7f9bcd95128e4",
"versionType": "git"
},
{
"lessThan": "43005002b60ef3424719ecda16d124714b45da3b",
"status": "affected",
"version": "635fd8953e4309b54ca6a81bed1d4a87668694f4",
"versionType": "git"
},
{
"lessThan": "3a10619fdefd3051aeb14860e4d4335529b4e94d",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "9a579d6a39513069d298eee70770bbac8a148565",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "2ce1de32e05445d77fc056f6ff8339cfb78a5f84",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "5158fb8da162e3982940f30cd01ed77bdf42c6fc",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "420c84c330d1688b8c764479e5738bbdbf0a33de",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"status": "affected",
"version": "d2d6b530d89b0a912148018027386aa049f0a309",
"versionType": "git"
},
{
"status": "affected",
"version": "e2a521a7dcc463c5017b4426ca0804e151faeff7",
"versionType": "git"
},
{
"status": "affected",
"version": "7f77dcbc030c2faa6d8e8a594985eeb34018409e",
"versionType": "git"
},
{
"status": "affected",
"version": "d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f",
"versionType": "git"
},
{
"status": "affected",
"version": "db3b738ae5f726204876f4303c49cfdf4311403f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Prevents free active kevent\n\nThe root cause of this issue are:\n1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);\nput the kevent work in global workqueue. However, the kevent has not yet\nbeen scheduled when the usbnet device is unregistered. Therefore, executing\nfree_netdev() results in the \"free active object (kevent)\" error reported\nhere.\n\n2. Another factor is that when calling usbnet_disconnect()-\u003eunregister_netdev(),\nif the usbnet device is up, ndo_stop() is executed to cancel the kevent.\nHowever, because the device is not up, ndo_stop() is not executed.\n\nThe solution to this problem is to cancel the kevent before executing\nfree_netdev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:43.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632e"
},
{
"url": "https://git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915"
},
{
"url": "https://git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3b"
},
{
"url": "https://git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94d"
},
{
"url": "https://git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565"
},
{
"url": "https://git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84"
},
{
"url": "https://git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fc"
},
{
"url": "https://git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33de"
}
],
"title": "usbnet: Prevents free active kevent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68312",
"datePublished": "2025-12-16T15:39:43.174Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:43.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68367 (GCVE-0-2025-68367)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2026-02-09 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
The following warning appears when running syzkaller, and this issue also
exists in the mainline code.
------------[ cut here ]------------
list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.
WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130
Modules linked in:
CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_add_valid_or_report+0xf7/0x130
RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817
RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001
RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c
R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100
R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48
FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
input_register_handler+0xb3/0x210
mac_hid_start_emulation+0x1c5/0x290
mac_hid_toggle_emumouse+0x20a/0x240
proc_sys_call_handler+0x4c2/0x6e0
new_sync_write+0x1b1/0x2d0
vfs_write+0x709/0x950
ksys_write+0x12a/0x250
do_syscall_64+0x5a/0x110
entry_SYSCALL_64_after_hwframe+0x78/0xe2
The WARNING occurs when two processes concurrently write to the mac-hid
emulation sysctl, causing a race condition in mac_hid_toggle_emumouse().
Both processes read old_val=0, then both try to register the input handler,
leading to a double list_add of the same handler.
CPU0 CPU1
------------------------- -------------------------
vfs_write() //write 1 vfs_write() //write 1
proc_sys_write() proc_sys_write()
mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()
old_val = *valp // old_val=0
old_val = *valp // old_val=0
mutex_lock_killable()
proc_dointvec() // *valp=1
mac_hid_start_emulation()
input_register_handler()
mutex_unlock()
mutex_lock_killable()
proc_dointvec()
mac_hid_start_emulation()
input_register_handler() //Trigger Warning
mutex_unlock()
Fix this by moving the old_val read inside the mutex lock region.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467 Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467 Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467 Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467 Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467 Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467 Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467 Version: 99b089c3c38a83ebaeb1cc4584ddcde841626467 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/macintosh/mac_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5f1d40fd342b589420de7508b4c748fcf28122e",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "14c209835e47a87e6da94bb9401e570dcc14f31f",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "583d36523f56d8e9ddfa0bec20743a6faefc9b74",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "61abf8c3162d155b4fd0fb251f08557093363a0a",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "230621ffdb361d15cd3ef92d8b4fa8d314f4fad4",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "388391dd1cc567fcf0b372b63d414c119d23e911",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "48a7d427eb65922b3f17fbe00e2bbc7cb9eac381",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
},
{
"lessThan": "1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f",
"status": "affected",
"version": "99b089c3c38a83ebaeb1cc4584ddcde841626467",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/macintosh/mac_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse\n\nThe following warning appears when running syzkaller, and this issue also\nexists in the mainline code.\n\n ------------[ cut here ]------------\n list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.\n WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130\n Modules linked in:\n CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__list_add_valid_or_report+0xf7/0x130\n RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817\n RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001\n RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c\n R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100\n R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48\n FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 80000000\n Call Trace:\n \u003cTASK\u003e\n input_register_handler+0xb3/0x210\n mac_hid_start_emulation+0x1c5/0x290\n mac_hid_toggle_emumouse+0x20a/0x240\n proc_sys_call_handler+0x4c2/0x6e0\n new_sync_write+0x1b1/0x2d0\n vfs_write+0x709/0x950\n ksys_write+0x12a/0x250\n do_syscall_64+0x5a/0x110\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe WARNING occurs when two processes concurrently write to the mac-hid\nemulation sysctl, causing a race condition in mac_hid_toggle_emumouse().\nBoth processes read old_val=0, then both try to register the input handler,\nleading to a double list_add of the same handler.\n\n CPU0 CPU1\n ------------------------- -------------------------\n vfs_write() //write 1 vfs_write() //write 1\n proc_sys_write() proc_sys_write()\n mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()\n old_val = *valp // old_val=0\n old_val = *valp // old_val=0\n mutex_lock_killable()\n proc_dointvec() // *valp=1\n mac_hid_start_emulation()\n input_register_handler()\n mutex_unlock()\n mutex_lock_killable()\n proc_dointvec()\n mac_hid_start_emulation()\n input_register_handler() //Trigger Warning\n mutex_unlock()\n\nFix this by moving the old_val read inside the mutex lock region."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:32:03.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5f1d40fd342b589420de7508b4c748fcf28122e"
},
{
"url": "https://git.kernel.org/stable/c/14c209835e47a87e6da94bb9401e570dcc14f31f"
},
{
"url": "https://git.kernel.org/stable/c/583d36523f56d8e9ddfa0bec20743a6faefc9b74"
},
{
"url": "https://git.kernel.org/stable/c/61abf8c3162d155b4fd0fb251f08557093363a0a"
},
{
"url": "https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4"
},
{
"url": "https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911"
},
{
"url": "https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381"
},
{
"url": "https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f"
}
],
"title": "macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68367",
"datePublished": "2025-12-24T10:32:54.084Z",
"dateReserved": "2025-12-16T14:48:05.309Z",
"dateUpdated": "2026-02-09T08:32:03.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71115 (GCVE-0-2025-71115)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
um: init cpu_tasks[] earlier
This is currently done in uml_finishsetup(), but e.g. with
KCOV enabled we'll crash because some init code can call
into e.g. memparse(), which has coverage annotations, and
then the checks in check_kcov_mode() crash because current
is NULL.
Simply initialize the cpu_tasks[] array statically, which
fixes the crash. For the later SMP work, it seems to have
not really caused any problems yet, but initialize all of
the entries anyway.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/um/kernel/process.c",
"arch/um/kernel/um_arch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbbf6d47130674640cd12a0781a0fb2a575d0e44",
"status": "affected",
"version": "2f681ba4b352cdd5658ed2a96062375a12839755",
"versionType": "git"
},
{
"lessThan": "7b5d4416964c07c902163822a30a622111172b01",
"status": "affected",
"version": "2f681ba4b352cdd5658ed2a96062375a12839755",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/um/kernel/process.c",
"arch/um/kernel/um_arch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\num: init cpu_tasks[] earlier\n\nThis is currently done in uml_finishsetup(), but e.g. with\nKCOV enabled we\u0027ll crash because some init code can call\ninto e.g. memparse(), which has coverage annotations, and\nthen the checks in check_kcov_mode() crash because current\nis NULL.\n\nSimply initialize the cpu_tasks[] array statically, which\nfixes the crash. For the later SMP work, it seems to have\nnot really caused any problems yet, but initialize all of\nthe entries anyway."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:09.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbbf6d47130674640cd12a0781a0fb2a575d0e44"
},
{
"url": "https://git.kernel.org/stable/c/7b5d4416964c07c902163822a30a622111172b01"
}
],
"title": "um: init cpu_tasks[] earlier",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71115",
"datePublished": "2026-01-14T15:06:02.428Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:09.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23167 (GCVE-0-2026-23167)
Vulnerability from cvelistv5
Published
2026-02-14 16:01
Modified
2026-02-14 16:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: nci: Fix race between rfkill and nci_unregister_device().
syzbot reported the splat below [0] without a repro.
It indicates that struct nci_dev.cmd_wq had been destroyed before
nci_close_device() was called via rfkill.
nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
(I think) was called from virtual_ncidev_close() when syzbot close()d
an fd of virtual_ncidev.
The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
first and then calls nfc_unregister_device(), which removes the
device from rfkill by rfkill_unregister().
So, the device is still visible via rfkill even after nci_dev.cmd_wq
is destroyed.
Let's unregister the device from rfkill first in nci_unregister_device().
Note that we cannot call nfc_unregister_device() before
nci_close_device() because
1) nfc_unregister_device() calls device_del() which frees
all memory allocated by devm_kzalloc() and linked to
ndev->conn_info_list
2) nci_rx_work() could try to queue nci_conn_info to
ndev->conn_info_list which could be leaked
Thus, nfc_unregister_device() is split into two functions so we
can remove rfkill interfaces only before nci_close_device().
[0]:
DEBUG_LOCKS_WARN_ON(1)
WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
Modules linked in:
CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
Call Trace:
<TASK>
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
__flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
nfc_dev_down+0x152/0x290 net/nfc/core.c:161
nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
vfs_write+0x29a/0xb90 fs/read_write.c:684
ksys_write+0x150/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa59b39acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
RBP: 00007fa59b408bf7 R08:
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/nfc/nfc.h",
"net/nfc/core.c",
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd4412d5905ee580e96c48360dc98fcd9e6f3208",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "eaa5da5130deda26420273d4610cf6e4f794ed75",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "546eba0b10989de9ccc7fd619e874a30561e2b88",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "c3369fc5e6120a72169e71acd72e987907a682af",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "d2492688bb9fed6ab6e313682c387ae71a66ebae",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/nfc/nfc.h",
"net/nfc/core.c",
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix race between rfkill and nci_unregister_device().\n\nsyzbot reported the splat below [0] without a repro.\n\nIt indicates that struct nci_dev.cmd_wq had been destroyed before\nnci_close_device() was called via rfkill.\n\nnci_dev.cmd_wq is only destroyed in nci_unregister_device(), which\n(I think) was called from virtual_ncidev_close() when syzbot close()d\nan fd of virtual_ncidev.\n\nThe problem is that nci_unregister_device() destroys nci_dev.cmd_wq\nfirst and then calls nfc_unregister_device(), which removes the\ndevice from rfkill by rfkill_unregister().\n\nSo, the device is still visible via rfkill even after nci_dev.cmd_wq\nis destroyed.\n\nLet\u0027s unregister the device from rfkill first in nci_unregister_device().\n\nNote that we cannot call nfc_unregister_device() before\nnci_close_device() because\n\n 1) nfc_unregister_device() calls device_del() which frees\n all memory allocated by devm_kzalloc() and linked to\n ndev-\u003econn_info_list\n\n 2) nci_rx_work() could try to queue nci_conn_info to\n ndev-\u003econn_info_list which could be leaked\n\nThus, nfc_unregister_device() is split into two functions so we\ncan remove rfkill interfaces only before nci_close_device().\n\n[0]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349\nModules linked in:\nCPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026\nRIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]\nRIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]\nRIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187\nCode: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d \u003c67\u003e 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f\nRSP: 0018:ffffc9000c767680 EFLAGS: 00010046\nRAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000\nRDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0\nRBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4\nR10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2\nR13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30\nFS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868\n touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940\n __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982\n nci_close_device+0x302/0x630 net/nfc/nci/core.c:567\n nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639\n nfc_dev_down+0x152/0x290 net/nfc/core.c:161\n nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179\n rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346\n rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301\n vfs_write+0x29a/0xb90 fs/read_write.c:684\n ksys_write+0x150/0x270 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa59b39acb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9\nRDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007\nRBP: 00007fa59b408bf7 R08: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:30.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd4412d5905ee580e96c48360dc98fcd9e6f3208"
},
{
"url": "https://git.kernel.org/stable/c/eaa5da5130deda26420273d4610cf6e4f794ed75"
},
{
"url": "https://git.kernel.org/stable/c/8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac"
},
{
"url": "https://git.kernel.org/stable/c/546eba0b10989de9ccc7fd619e874a30561e2b88"
},
{
"url": "https://git.kernel.org/stable/c/126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5"
},
{
"url": "https://git.kernel.org/stable/c/c3369fc5e6120a72169e71acd72e987907a682af"
},
{
"url": "https://git.kernel.org/stable/c/d2492688bb9fed6ab6e313682c387ae71a66ebae"
}
],
"title": "nfc: nci: Fix race between rfkill and nci_unregister_device().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23167",
"datePublished": "2026-02-14T16:01:30.755Z",
"dateReserved": "2026-01-13T15:37:45.981Z",
"dateUpdated": "2026-02-14T16:01:30.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68191 (GCVE-0-2025-68191)
Vulnerability from cvelistv5
Published
2025-12-16 13:43
Modified
2026-01-02 15:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp_tunnel: use netdev_warn() instead of netdev_WARN()
netdev_WARN() uses WARN/WARN_ON to print a backtrace along with
file and line information. In this case, udp_tunnel_nic_register()
returning an error is just a failed operation, not a kernel bug.
udp_tunnel_nic_register() can fail due to a memory allocation
failure (kzalloc() or udp_tunnel_nic_alloc()).
This is a normal runtime error and not a kernel bug.
Replace netdev_WARN() with netdev_warn() accordingly.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 Version: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 Version: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 Version: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 Version: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 Version: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 Version: cc4e3835eff474aa274d6e1d18f69d9d296d3b76 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp_tunnel_nic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "087f1ed450dc6e7e49ffbbbe5b78be1218c6d5e0",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "45e4e4a8772fa1c5f6f38e82b732b3a9d8137af4",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "7758ec35ff3e9a31558eda4f0f9eb0ddfa78a8ba",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "c018a87942bf1607aeebf8dba5a210ca9a09a0fd",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "51b3033088f0420b19027e3d54cd989b6ebd987e",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "3c3b148bf8384c8a787753cf20abde1c5731f97f",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
},
{
"lessThan": "dc2f650f7e6857bf384069c1a56b2937a1ee370d",
"status": "affected",
"version": "cc4e3835eff474aa274d6e1d18f69d9d296d3b76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp_tunnel_nic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp_tunnel: use netdev_warn() instead of netdev_WARN()\n\nnetdev_WARN() uses WARN/WARN_ON to print a backtrace along with\nfile and line information. In this case, udp_tunnel_nic_register()\nreturning an error is just a failed operation, not a kernel bug.\n\nudp_tunnel_nic_register() can fail due to a memory allocation\nfailure (kzalloc() or udp_tunnel_nic_alloc()).\nThis is a normal runtime error and not a kernel bug.\n\nReplace netdev_WARN() with netdev_warn() accordingly."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:20.100Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/087f1ed450dc6e7e49ffbbbe5b78be1218c6d5e0"
},
{
"url": "https://git.kernel.org/stable/c/45e4e4a8772fa1c5f6f38e82b732b3a9d8137af4"
},
{
"url": "https://git.kernel.org/stable/c/7758ec35ff3e9a31558eda4f0f9eb0ddfa78a8ba"
},
{
"url": "https://git.kernel.org/stable/c/c018a87942bf1607aeebf8dba5a210ca9a09a0fd"
},
{
"url": "https://git.kernel.org/stable/c/51b3033088f0420b19027e3d54cd989b6ebd987e"
},
{
"url": "https://git.kernel.org/stable/c/3c3b148bf8384c8a787753cf20abde1c5731f97f"
},
{
"url": "https://git.kernel.org/stable/c/dc2f650f7e6857bf384069c1a56b2937a1ee370d"
}
],
"title": "udp_tunnel: use netdev_warn() instead of netdev_WARN()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68191",
"datePublished": "2025-12-16T13:43:13.146Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2026-01-02T15:34:20.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68301 (GCVE-0-2025-68301)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: atlantic: fix fragment overflow handling in RX path
The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)
fragments when handling large multi-descriptor packets. This causes an
out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.
The issue occurs because the driver doesn't check the total number of
fragments before calling skb_add_rx_frag(). When a packet requires more
than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.
Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for. And reusing the existing check to
prevent the overflow earlier in the code path.
This crash occurred in production with an Aquantia AQC113 10G NIC.
Stack trace from production environment:
```
RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0
Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89
ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90
c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48
89 fa 83
RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287
RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:
fffffffe0a0c8000
RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:
0000000000037a40
RBP: 0000000000000024 R08: 0000000000000000 R09:
0000000000000021
R10: 0000000000000848 R11: 0000000000000000 R12:
ffffa9bec02a8e24
R13: ffff925ad8615570 R14: 0000000000000000 R15:
ffff925b22e80a00
FS: 0000000000000000(0000)
GS:ffff925e47880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:
0000000000f72ef0
PKRU: 55555554
Call Trace:
<IRQ>
aq_ring_rx_clean+0x175/0xe60 [atlantic]
? aq_ring_rx_clean+0x14d/0xe60 [atlantic]
? aq_ring_tx_clean+0xdf/0x190 [atlantic]
? kmem_cache_free+0x348/0x450
? aq_vec_poll+0x81/0x1d0 [atlantic]
? __napi_poll+0x28/0x1c0
? net_rx_action+0x337/0x420
```
Changes in v4:
- Add Fixes: tag to satisfy patch validation requirements.
Changes in v3:
- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cd66ab20a8f84474564a68fffffd37d998f6c340 Version: 948ddbdc56636773401f2cb9c7a932eb9c43ccfd Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: dd4fb02847e737cc38ca75e708b1a836fba45faf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34147477eeab24077fcfe9649e282849347d760c",
"status": "affected",
"version": "cd66ab20a8f84474564a68fffffd37d998f6c340",
"versionType": "git"
},
{
"lessThan": "b0c4d5135b04ea100988e2458c98f2d8564cda16",
"status": "affected",
"version": "948ddbdc56636773401f2cb9c7a932eb9c43ccfd",
"versionType": "git"
},
{
"lessThan": "5d6051ea1b0417ae2f06a8440d22e48fbc8f8997",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "3be37c3c96b16462394fcb8e15e757c691377038",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "3fd2105e1b7e041cc24be151c9a31a14d5fc50ab",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "64e47cd1fd631a21bf5a630cebefec6c8fc381cd",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "5ffcb7b890f61541201461580bb6622ace405aec",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"status": "affected",
"version": "dd4fb02847e737cc38ca75e708b1a836fba45faf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: fix fragment overflow handling in RX path\n\nThe atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)\nfragments when handling large multi-descriptor packets. This causes an\nout-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.\n\nThe issue occurs because the driver doesn\u0027t check the total number of\nfragments before calling skb_add_rx_frag(). When a packet requires more\nthan MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.\n\nFix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\nthen all fragments are accounted for. And reusing the existing check to\nprevent the overflow earlier in the code path.\n\nThis crash occurred in production with an Aquantia AQC113 10G NIC.\n\nStack trace from production environment:\n```\nRIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0\nCode: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89\nca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90\nc8 00 00 00 \u003c48\u003e 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48\n89 fa 83\nRSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287\nRAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:\nfffffffe0a0c8000\nRDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:\n0000000000037a40\nRBP: 0000000000000024 R08: 0000000000000000 R09:\n0000000000000021\nR10: 0000000000000848 R11: 0000000000000000 R12:\nffffa9bec02a8e24\nR13: ffff925ad8615570 R14: 0000000000000000 R15:\nffff925b22e80a00\nFS: 0000000000000000(0000)\nGS:ffff925e47880000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:\n0000000000f72ef0\nPKRU: 55555554\nCall Trace:\n\u003cIRQ\u003e\naq_ring_rx_clean+0x175/0xe60 [atlantic]\n? aq_ring_rx_clean+0x14d/0xe60 [atlantic]\n? aq_ring_tx_clean+0xdf/0x190 [atlantic]\n? kmem_cache_free+0x348/0x450\n? aq_vec_poll+0x81/0x1d0 [atlantic]\n? __napi_poll+0x28/0x1c0\n? net_rx_action+0x337/0x420\n```\n\nChanges in v4:\n- Add Fixes: tag to satisfy patch validation requirements.\n\nChanges in v3:\n- Fix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\n then all fragments are accounted for."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:19.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34147477eeab24077fcfe9649e282849347d760c"
},
{
"url": "https://git.kernel.org/stable/c/b0c4d5135b04ea100988e2458c98f2d8564cda16"
},
{
"url": "https://git.kernel.org/stable/c/5d6051ea1b0417ae2f06a8440d22e48fbc8f8997"
},
{
"url": "https://git.kernel.org/stable/c/3be37c3c96b16462394fcb8e15e757c691377038"
},
{
"url": "https://git.kernel.org/stable/c/3fd2105e1b7e041cc24be151c9a31a14d5fc50ab"
},
{
"url": "https://git.kernel.org/stable/c/64e47cd1fd631a21bf5a630cebefec6c8fc381cd"
},
{
"url": "https://git.kernel.org/stable/c/5ffcb7b890f61541201461580bb6622ace405aec"
}
],
"title": "net: atlantic: fix fragment overflow handling in RX path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68301",
"datePublished": "2025-12-16T15:06:19.688Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:19.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38236 (GCVE-0-2025-38236)
Vulnerability from cvelistv5
Published
2025-07-08 07:35
Modified
2025-11-03 17:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Don't leave consecutive consumed OOB skbs.
Jann Horn reported a use-after-free in unix_stream_read_generic().
The following sequences reproduce the issue:
$ python3
from socket import *
s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)
s1.send(b'x', MSG_OOB)
s2.recv(1, MSG_OOB) # leave a consumed OOB skb
s1.send(b'y', MSG_OOB)
s2.recv(1, MSG_OOB) # leave a consumed OOB skb
s1.send(b'z', MSG_OOB)
s2.recv(1) # recv 'z' illegally
s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free)
Even though a user reads OOB data, the skb holding the data stays on
the recv queue to mark the OOB boundary and break the next recv().
After the last send() in the scenario above, the sk2's recv queue has
2 leading consumed OOB skbs and 1 real OOB skb.
Then, the following happens during the next recv() without MSG_OOB
1. unix_stream_read_generic() peeks the first consumed OOB skb
2. manage_oob() returns the next consumed OOB skb
3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb
4. unix_stream_read_generic() reads and frees the OOB skb
, and the last recv(MSG_OOB) triggers KASAN splat.
The 3. above occurs because of the SO_PEEK_OFF code, which does not
expect unix_skb_len(skb) to be 0, but this is true for such consumed
OOB skbs.
while (skip >= unix_skb_len(skb)) {
skip -= unix_skb_len(skb);
skb = skb_peek_next(skb, &sk->sk_receive_queue);
...
}
In addition to this use-after-free, there is another issue that
ioctl(SIOCATMARK) does not function properly with consecutive consumed
OOB skbs.
So, nothing good comes out of such a situation.
Instead of complicating manage_oob(), ioctl() handling, and the next
ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs,
let's not leave such consecutive OOB unnecessarily.
Now, while receiving an OOB skb in unix_stream_recv_urg(), if its
previous skb is a consumed OOB skb, it is freed.
[0]:
BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027)
Read of size 4 at addr ffff888106ef2904 by task python3/315
CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:122)
print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)
kasan_report (mm/kasan/report.c:636)
unix_stream_read_actor (net/unix/af_unix.c:3027)
unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847)
unix_stream_recvmsg (net/unix/af_unix.c:3048)
sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))
__sys_recvfrom (net/socket.c:2278)
__x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f8911fcea06
Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08
RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d
RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06
RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006
RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20
R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Allocated by task 315:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
__kasan_slab_alloc (mm/kasan/common.c:348)
kmem_cache_alloc_
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 314001f0bf927015e459c9d387d62a231fe93af3 Version: 314001f0bf927015e459c9d387d62a231fe93af3 Version: 314001f0bf927015e459c9d387d62a231fe93af3 Version: 314001f0bf927015e459c9d387d62a231fe93af3 Version: 314001f0bf927015e459c9d387d62a231fe93af3 Version: 314001f0bf927015e459c9d387d62a231fe93af3 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:35:51.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "523edfed4f68b7794d85b9ac828c5f8f4442e4c5",
"status": "affected",
"version": "314001f0bf927015e459c9d387d62a231fe93af3",
"versionType": "git"
},
{
"lessThan": "a12237865b48a73183df252029ff5065d73d305e",
"status": "affected",
"version": "314001f0bf927015e459c9d387d62a231fe93af3",
"versionType": "git"
},
{
"lessThan": "fad0a2c16062ac7c606b93166a7ce9d265bab976",
"status": "affected",
"version": "314001f0bf927015e459c9d387d62a231fe93af3",
"versionType": "git"
},
{
"lessThan": "61a9ad7b69ce688697e5f63332f03e17725353bc",
"status": "affected",
"version": "314001f0bf927015e459c9d387d62a231fe93af3",
"versionType": "git"
},
{
"lessThan": "8db4d2d026e6e3649832bfe23b96c4acff0756db",
"status": "affected",
"version": "314001f0bf927015e459c9d387d62a231fe93af3",
"versionType": "git"
},
{
"lessThan": "32ca245464e1479bfea8592b9db227fdc1641705",
"status": "affected",
"version": "314001f0bf927015e459c9d387d62a231fe93af3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.143",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Don\u0027t leave consecutive consumed OOB skbs.\n\nJann Horn reported a use-after-free in unix_stream_read_generic().\n\nThe following sequences reproduce the issue:\n\n $ python3\n from socket import *\n s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)\n s1.send(b\u0027x\u0027, MSG_OOB)\n s2.recv(1, MSG_OOB) # leave a consumed OOB skb\n s1.send(b\u0027y\u0027, MSG_OOB)\n s2.recv(1, MSG_OOB) # leave a consumed OOB skb\n s1.send(b\u0027z\u0027, MSG_OOB)\n s2.recv(1) # recv \u0027z\u0027 illegally\n s2.recv(1, MSG_OOB) # access \u0027z\u0027 skb (use-after-free)\n\nEven though a user reads OOB data, the skb holding the data stays on\nthe recv queue to mark the OOB boundary and break the next recv().\n\nAfter the last send() in the scenario above, the sk2\u0027s recv queue has\n2 leading consumed OOB skbs and 1 real OOB skb.\n\nThen, the following happens during the next recv() without MSG_OOB\n\n 1. unix_stream_read_generic() peeks the first consumed OOB skb\n 2. manage_oob() returns the next consumed OOB skb\n 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb\n 4. unix_stream_read_generic() reads and frees the OOB skb\n\n, and the last recv(MSG_OOB) triggers KASAN splat.\n\nThe 3. above occurs because of the SO_PEEK_OFF code, which does not\nexpect unix_skb_len(skb) to be 0, but this is true for such consumed\nOOB skbs.\n\n while (skip \u003e= unix_skb_len(skb)) {\n skip -= unix_skb_len(skb);\n skb = skb_peek_next(skb, \u0026sk-\u003esk_receive_queue);\n ...\n }\n\nIn addition to this use-after-free, there is another issue that\nioctl(SIOCATMARK) does not function properly with consecutive consumed\nOOB skbs.\n\nSo, nothing good comes out of such a situation.\n\nInstead of complicating manage_oob(), ioctl() handling, and the next\nECONNRESET fix by introducing a loop for consecutive consumed OOB skbs,\nlet\u0027s not leave such consecutive OOB unnecessarily.\n\nNow, while receiving an OOB skb in unix_stream_recv_urg(), if its\nprevious skb is a consumed OOB skb, it is freed.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027)\nRead of size 4 at addr ffff888106ef2904 by task python3/315\n\nCPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:636)\n unix_stream_read_actor (net/unix/af_unix.c:3027)\n unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847)\n unix_stream_recvmsg (net/unix/af_unix.c:3048)\n sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))\n __sys_recvfrom (net/socket.c:2278)\n __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f8911fcea06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d\nRAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06\nRDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006\nRBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20\nR13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 315:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:348)\n kmem_cache_alloc_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:25:52.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/523edfed4f68b7794d85b9ac828c5f8f4442e4c5"
},
{
"url": "https://git.kernel.org/stable/c/a12237865b48a73183df252029ff5065d73d305e"
},
{
"url": "https://git.kernel.org/stable/c/fad0a2c16062ac7c606b93166a7ce9d265bab976"
},
{
"url": "https://git.kernel.org/stable/c/61a9ad7b69ce688697e5f63332f03e17725353bc"
},
{
"url": "https://git.kernel.org/stable/c/8db4d2d026e6e3649832bfe23b96c4acff0756db"
},
{
"url": "https://git.kernel.org/stable/c/32ca245464e1479bfea8592b9db227fdc1641705"
},
{
"url": "https://project-zero.issues.chromium.org/issues/423023990"
}
],
"title": "af_unix: Don\u0027t leave consecutive consumed OOB skbs.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38236",
"datePublished": "2025-07-08T07:35:23.238Z",
"dateReserved": "2025-04-16T04:51:23.996Z",
"dateUpdated": "2025-11-03T17:35:51.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23033 (GCVE-0-2026-23033)
Vulnerability from cvelistv5
Published
2026-01-31 11:42
Modified
2026-02-09 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: omap-dma: fix dma_pool resource leak in error paths
The dma_pool created by dma_pool_create() is not destroyed when
dma_async_device_register() or of_dma_controller_register() fails,
causing a resource leak in the probe error paths.
Add dma_pool_destroy() in both error paths to properly release the
allocated dma_pool resource.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed Version: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed Version: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed Version: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed Version: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed Version: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed Version: 7bedaa5537604f34d1d63c5ec7891e559d2a61ed |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/omap-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d66cb05b8b76396387a7b3a91f9284225c87f04",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "2b29f38f4f9660595e8272b8e8b82ffcca7ce592",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "6b867a98699657c2a698bbc9e60656349b39b905",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "88a9483f093bbb9263dcf21bc7fdb5132e5de88d",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "4b93712e96be17029bd22787f2e39feb0e73272c",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "829b00481734dd54e72f755fd6584bce6fbffbb0",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
},
{
"lessThan": "2e1136acf8a8887c29f52e35a77b537309af321f",
"status": "affected",
"version": "7bedaa5537604f34d1d63c5ec7891e559d2a61ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/omap-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: omap-dma: fix dma_pool resource leak in error paths\n\nThe dma_pool created by dma_pool_create() is not destroyed when\ndma_async_device_register() or of_dma_controller_register() fails,\ncausing a resource leak in the probe error paths.\n\nAdd dma_pool_destroy() in both error paths to properly release the\nallocated dma_pool resource."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:27.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d66cb05b8b76396387a7b3a91f9284225c87f04"
},
{
"url": "https://git.kernel.org/stable/c/2b29f38f4f9660595e8272b8e8b82ffcca7ce592"
},
{
"url": "https://git.kernel.org/stable/c/6b867a98699657c2a698bbc9e60656349b39b905"
},
{
"url": "https://git.kernel.org/stable/c/88a9483f093bbb9263dcf21bc7fdb5132e5de88d"
},
{
"url": "https://git.kernel.org/stable/c/4b93712e96be17029bd22787f2e39feb0e73272c"
},
{
"url": "https://git.kernel.org/stable/c/829b00481734dd54e72f755fd6584bce6fbffbb0"
},
{
"url": "https://git.kernel.org/stable/c/2e1136acf8a8887c29f52e35a77b537309af321f"
}
],
"title": "dmaengine: omap-dma: fix dma_pool resource leak in error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23033",
"datePublished": "2026-01-31T11:42:28.352Z",
"dateReserved": "2026-01-13T15:37:45.942Z",
"dateUpdated": "2026-02-09T08:37:27.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40342 (GCVE-0-2025-40342)
Vulnerability from cvelistv5
Published
2025-12-09 04:09
Modified
2025-12-20 08:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: use lock accessing port_state and rport state
nvme_fc_unregister_remote removes the remote port on a lport object at
any point in time when there is no active association. This races with
with the reconnect logic, because nvme_fc_create_association is not
taking a lock to check the port_state and atomically increase the
active count on the rport.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e399441de9115cd472b8ace6c517708273ca7997 Version: e399441de9115cd472b8ace6c517708273ca7997 Version: e399441de9115cd472b8ace6c517708273ca7997 Version: e399441de9115cd472b8ace6c517708273ca7997 Version: e399441de9115cd472b8ace6c517708273ca7997 Version: e399441de9115cd472b8ace6c517708273ca7997 Version: e399441de9115cd472b8ace6c517708273ca7997 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de3d91af47bc015031e7721b100a29989f6498a5",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "e8cde03de8674b05f2c5e0870729049eba517800",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "4253e0a4546138a2bf9cb6acf66b32fee677fc7c",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "25f4bf1f7979a7871974fd36c79d69ff1cf4b446",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "9950af4303942081dc8c7a5fdc3688c17c7eb6c0",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "a2f7fa75c4a2a07328fa22ccbef461db76790b55",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "891cdbb162ccdb079cd5228ae43bdeebce8597ad",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: use lock accessing port_state and rport state\n\nnvme_fc_unregister_remote removes the remote port on a lport object at\nany point in time when there is no active association. This races with\nwith the reconnect logic, because nvme_fc_create_association is not\ntaking a lock to check the port_state and atomically increase the\nactive count on the rport."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:12.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de3d91af47bc015031e7721b100a29989f6498a5"
},
{
"url": "https://git.kernel.org/stable/c/e8cde03de8674b05f2c5e0870729049eba517800"
},
{
"url": "https://git.kernel.org/stable/c/4253e0a4546138a2bf9cb6acf66b32fee677fc7c"
},
{
"url": "https://git.kernel.org/stable/c/25f4bf1f7979a7871974fd36c79d69ff1cf4b446"
},
{
"url": "https://git.kernel.org/stable/c/9950af4303942081dc8c7a5fdc3688c17c7eb6c0"
},
{
"url": "https://git.kernel.org/stable/c/a2f7fa75c4a2a07328fa22ccbef461db76790b55"
},
{
"url": "https://git.kernel.org/stable/c/891cdbb162ccdb079cd5228ae43bdeebce8597ad"
}
],
"title": "nvme-fc: use lock accessing port_state and rport state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40342",
"datePublished": "2025-12-09T04:09:59.673Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:12.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68823 (GCVE-0-2025-68823)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-12 08:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: fix deadlock when reading partition table
When one process(such as udev) opens ublk block device (e.g., to read
the partition table via bdev_open()), a deadlock[1] can occur:
1. bdev_open() grabs disk->open_mutex
2. The process issues read I/O to ublk backend to read partition table
3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()
runs bio->bi_end_io() callbacks
4. If this triggers fput() on file descriptor of ublk block device, the
work may be deferred to current task's task work (see fput() implementation)
5. This eventually calls blkdev_release() from the same context
6. blkdev_release() tries to grab disk->open_mutex again
7. Deadlock: same task waiting for a mutex it already holds
The fix is to run blk_update_request() and blk_mq_end_request() with bottom
halves disabled. This forces blkdev_release() to run in kernel work-queue
context instead of current task work context, and allows ublk server to make
forward progress, and avoids the deadlock.
[axboe: rewrite comment in ublk]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64c0b7e2293757e8320f13434cd809f1c9257a62",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "0460e09a614291f06c008443f47393c37b7358e7",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "c258f5c4502c9667bccf5d76fa731ab9c96687c1",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix deadlock when reading partition table\n\nWhen one process(such as udev) opens ublk block device (e.g., to read\nthe partition table via bdev_open()), a deadlock[1] can occur:\n\n1. bdev_open() grabs disk-\u003eopen_mutex\n2. The process issues read I/O to ublk backend to read partition table\n3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()\n runs bio-\u003ebi_end_io() callbacks\n4. If this triggers fput() on file descriptor of ublk block device, the\n work may be deferred to current task\u0027s task work (see fput() implementation)\n5. This eventually calls blkdev_release() from the same context\n6. blkdev_release() tries to grab disk-\u003eopen_mutex again\n7. Deadlock: same task waiting for a mutex it already holds\n\nThe fix is to run blk_update_request() and blk_mq_end_request() with bottom\nhalves disabled. This forces blkdev_release() to run in kernel work-queue\ncontext instead of current task work context, and allows ublk server to make\nforward progress, and avoids the deadlock.\n\n[axboe: rewrite comment in ublk]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T08:19:29.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64c0b7e2293757e8320f13434cd809f1c9257a62"
},
{
"url": "https://git.kernel.org/stable/c/9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7"
},
{
"url": "https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7"
},
{
"url": "https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1"
}
],
"title": "ublk: fix deadlock when reading partition table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68823",
"datePublished": "2026-01-13T15:29:25.392Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-12T08:19:29.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23075 (GCVE-0-2026-23075)
Vulnerability from cvelistv5
Published
2026-02-04 16:08
Modified
2026-02-09 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In esd_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
esd_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in esd_usb_close().
Fix the memory leak by anchoring the URB in the
esd_usb_read_bulk_callback() to the dev->rx_submitted anchor.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96d8e90382dc336b5de401164597edfdc2e8d9f1 Version: 96d8e90382dc336b5de401164597edfdc2e8d9f1 Version: 96d8e90382dc336b5de401164597edfdc2e8d9f1 Version: 96d8e90382dc336b5de401164597edfdc2e8d9f1 Version: 96d8e90382dc336b5de401164597edfdc2e8d9f1 Version: 96d8e90382dc336b5de401164597edfdc2e8d9f1 Version: 96d8e90382dc336b5de401164597edfdc2e8d9f1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/esd_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93b34d4ba7266030801a509c088ac77c0d7a12e9",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "dc934d96673992af8568664c1b58e13eb164010d",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "92d26ce07ac3b7a850dc68c8d73d487b39c39b33",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "adec5e1f9c99fe079ec4c92cca3f1109a3e257c3",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "9d1807b442fc3286b204f8e59981b10e743533ce",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "a9503ae43256e80db5cba9d449b238607164c51d",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
},
{
"lessThan": "5a4391bdc6c8357242f62f22069c865b792406b3",
"status": "affected",
"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/esd_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn esd_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev-\u003erx_submitted anchor and submitted. In the complete callback\nesd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nesd_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(\u0026dev-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in esd_usb_close().\n\nFix the memory leak by anchoring the URB in the\nesd_usb_read_bulk_callback() to the dev-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:38:14.812Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93b34d4ba7266030801a509c088ac77c0d7a12e9"
},
{
"url": "https://git.kernel.org/stable/c/dc934d96673992af8568664c1b58e13eb164010d"
},
{
"url": "https://git.kernel.org/stable/c/92d26ce07ac3b7a850dc68c8d73d487b39c39b33"
},
{
"url": "https://git.kernel.org/stable/c/adec5e1f9c99fe079ec4c92cca3f1109a3e257c3"
},
{
"url": "https://git.kernel.org/stable/c/9d1807b442fc3286b204f8e59981b10e743533ce"
},
{
"url": "https://git.kernel.org/stable/c/a9503ae43256e80db5cba9d449b238607164c51d"
},
{
"url": "https://git.kernel.org/stable/c/5a4391bdc6c8357242f62f22069c865b792406b3"
}
],
"title": "can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23075",
"datePublished": "2026-02-04T16:08:00.169Z",
"dateReserved": "2026-01-13T15:37:45.958Z",
"dateUpdated": "2026-02-09T08:38:14.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40343 (GCVE-0-2025-40343)
Vulnerability from cvelistv5
Published
2025-12-09 04:10
Modified
2025-12-20 08:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: avoid scheduling association deletion twice
When forcefully shutting down a port via the configfs interface,
nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and
then nvmet_disable_port(). Both functions will eventually schedule all
remaining associations for deletion.
The current implementation checks whether an association is about to be
removed, but only after the work item has already been scheduled. As a
result, it is possible for the first scheduled work item to free all
resources, and then for the same work item to be scheduled again for
deletion.
Because the association list is an RCU list, it is not possible to take
a lock and remove the list entry directly, so it cannot be looked up
again. Instead, a flag (terminating) must be used to determine whether
the association is already in the process of being deleted.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a07b4970f464f13640e28e16dad6cfa33647cc99 Version: a07b4970f464f13640e28e16dad6cfa33647cc99 Version: a07b4970f464f13640e28e16dad6cfa33647cc99 Version: a07b4970f464f13640e28e16dad6cfa33647cc99 Version: a07b4970f464f13640e28e16dad6cfa33647cc99 Version: a07b4970f464f13640e28e16dad6cfa33647cc99 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f4852db87e25d4e226b25cb6f652fef9504360e",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "85e2ce1920cb511d57aae59f0df6ff85b28bf04d",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "601ed47b2363c24d948d7bac0c23abc8bd459570",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "04d17540ef51e2c291eb863ca87fd332259b2d40",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "c09ac9a63fc3aaf4670ad7b5e4f5afd764424154",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "f2537be4f8421f6495edfa0bc284d722f253841d",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid scheduling association deletion twice\n\nWhen forcefully shutting down a port via the configfs interface,\nnvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and\nthen nvmet_disable_port(). Both functions will eventually schedule all\nremaining associations for deletion.\n\nThe current implementation checks whether an association is about to be\nremoved, but only after the work item has already been scheduled. As a\nresult, it is possible for the first scheduled work item to free all\nresources, and then for the same work item to be scheduled again for\ndeletion.\n\nBecause the association list is an RCU list, it is not possible to take\na lock and remove the list entry directly, so it cannot be looked up\nagain. Instead, a flag (terminating) must be used to determine whether\nthe association is already in the process of being deleted."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:13.716Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360e"
},
{
"url": "https://git.kernel.org/stable/c/85e2ce1920cb511d57aae59f0df6ff85b28bf04d"
},
{
"url": "https://git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570"
},
{
"url": "https://git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40"
},
{
"url": "https://git.kernel.org/stable/c/c09ac9a63fc3aaf4670ad7b5e4f5afd764424154"
},
{
"url": "https://git.kernel.org/stable/c/f2537be4f8421f6495edfa0bc284d722f253841d"
}
],
"title": "nvmet-fc: avoid scheduling association deletion twice",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40343",
"datePublished": "2025-12-09T04:10:00.973Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:13.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68325 (GCVE-0-2025-68325)
Vulnerability from cvelistv5
Published
2025-12-18 15:02
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: de04ddd2980b48caa8d7e24a7db2742917a8b280 Version: 0dacfc5372e314d1219f03e64dde3ab495a5a25e Version: 710866fc0a64eafcb8bacd91bcb1329eb7e5035f Version: aa12ee1c1bd260943fd6ab556d8635811c332eeb Version: ff57186b2cc39766672c4c0332323933e5faaa88 Version: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 Version: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 Version: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 Version: 7689ab22de36f8db19095f6bdf11f28cfde92f5c Version: 62d591dde4defb1333d202410609c4ddeae060b3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3f4e3de41a3f115db35276c6b186ccbc913934a",
"status": "affected",
"version": "de04ddd2980b48caa8d7e24a7db2742917a8b280",
"versionType": "git"
},
{
"lessThan": "38abf6e931b169ea88d7529b49096f53a5dcf8fe",
"status": "affected",
"version": "0dacfc5372e314d1219f03e64dde3ab495a5a25e",
"versionType": "git"
},
{
"lessThan": "fcb91be52eb6e92e00b533ebd7c77fecada537e1",
"status": "affected",
"version": "710866fc0a64eafcb8bacd91bcb1329eb7e5035f",
"versionType": "git"
},
{
"lessThan": "d01f0e072dadb02fe10f436b940dd957aff0d7d4",
"status": "affected",
"version": "aa12ee1c1bd260943fd6ab556d8635811c332eeb",
"versionType": "git"
},
{
"lessThan": "0b6216f9b3d1c33c76f74511026e5de5385ee520",
"status": "affected",
"version": "ff57186b2cc39766672c4c0332323933e5faaa88",
"versionType": "git"
},
{
"lessThan": "529c284cc2815c8350860e9a31722050fe7117cb",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "3ed6c458530a547ed0c9ea0b02b19bab620be88b",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "9fefc78f7f02d71810776fdeb119a05a946a27cc",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"status": "affected",
"version": "7689ab22de36f8db19095f6bdf11f28cfde92f5c",
"versionType": "git"
},
{
"status": "affected",
"version": "62d591dde4defb1333d202410609c4ddeae060b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_cake: Fix incorrect qlen reduction in cake_drop\n\nIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen\nand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes\nthat the parent qdisc will enqueue the current packet. However, this\nassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent\nqdisc stops enqueuing current packet, leaving the tree qlen/backlog\naccounting inconsistent. This mismatch can lead to a NULL dereference\n(e.g., when the parent Qdisc is qfq_qdisc).\n\nThis patch computes the qlen/backlog delta in a more robust way by\nobserving the difference before and after the series of cake_drop()\ncalls, and then compensates the qdisc tree accounting if cake_enqueue()\nreturns NET_XMIT_CN.\n\nTo ensure correct compensation when ACK thinning is enabled, a new\nvariable is introduced to keep qlen unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:26.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934a"
},
{
"url": "https://git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fe"
},
{
"url": "https://git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1"
},
{
"url": "https://git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4"
},
{
"url": "https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520"
},
{
"url": "https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb"
},
{
"url": "https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b"
},
{
"url": "https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc"
}
],
"title": "net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68325",
"datePublished": "2025-12-18T15:02:50.214Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-02-09T08:31:26.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71118 (GCVE-0-2025-71118)
Vulnerability from cvelistv5
Published
2026-01-14 15:06
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Avoid walking the Namespace if start_node is NULL
Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace
if it is not there") fixed the situation when both start_node and
acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed
on Honor Magicbook 14 Pro [1].
That happens due to the access to the member of parent_node in
acpi_ns_get_next_node(). The NULL pointer dereference will always
happen, no matter whether or not the start_node is equal to
ACPI_ROOT_OBJECT, so move the check of start_node being NULL
out of the if block.
Unfortunately, all the attempts to contact Honor have failed, they
refused to provide any technical support for Linux.
The bad DSDT table's dump could be found on GitHub [2].
DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025
[ rjw: Subject adjustment, changelog edits ]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/nswalk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b84edef48cc8afb41150949a87dcfa81bc95b53e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ecb296286c8787895625bd4c53e9478db4ae139c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f9b951ed11842373851dd3c91860778356d62d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bc34293dfbd266c29875206849b4f8e8177e6df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0d8bb08126920fd4b12dbf32d9250757c9064b36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f91dad0a3b381244183ffbea4cec5a7a69d6f41e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d6c58dae8f6590c746ac5d0012ffe14a77539f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/nswalk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Avoid walking the Namespace if start_node is NULL\n\nAlthough commit 0c9992315e73 (\"ACPICA: Avoid walking the ACPI Namespace\nif it is not there\") fixed the situation when both start_node and\nacpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed\non Honor Magicbook 14 Pro [1].\n\nThat happens due to the access to the member of parent_node in\nacpi_ns_get_next_node(). The NULL pointer dereference will always\nhappen, no matter whether or not the start_node is equal to\nACPI_ROOT_OBJECT, so move the check of start_node being NULL\nout of the if block.\n\nUnfortunately, all the attempts to contact Honor have failed, they\nrefused to provide any technical support for Linux.\n\nThe bad DSDT table\u0027s dump could be found on GitHub [2].\n\nDMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025\n\n[ rjw: Subject adjustment, changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:13.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e"
},
{
"url": "https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c"
},
{
"url": "https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3"
},
{
"url": "https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df"
},
{
"url": "https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36"
},
{
"url": "https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e"
},
{
"url": "https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0"
}
],
"title": "ACPICA: Avoid walking the Namespace if start_node is NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71118",
"datePublished": "2026-01-14T15:06:05.861Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:13.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71163 (GCVE-0-2025-71163)
Vulnerability from cvelistv5
Published
2026-01-25 14:36
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: fix device leaks on compat bind and unbind
Make sure to drop the reference taken when looking up the idxd device as
part of the compat bind and unbind sysfs interface.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 Version: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 Version: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 Version: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 Version: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 Version: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7bd948f89271c92d9ca9b2b682bfba56896e959",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "b2d077180a56e3b7c97b7517d0465b584adc693b",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "c81ea0222eaaafdd77348e27d1e84a1b8cfc0c99",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "0c97ff108f825a70c3bb29d65ddf0a013d231bb9",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "a7226fd61def74b60dd8e47ec84cabafc39d575b",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "799900f01792cf8b525a44764f065f83fcafd468",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix device leaks on compat bind and unbind\n\nMake sure to drop the reference taken when looking up the idxd device as\npart of the compat bind and unbind sysfs interface."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:02.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7bd948f89271c92d9ca9b2b682bfba56896e959"
},
{
"url": "https://git.kernel.org/stable/c/b2d077180a56e3b7c97b7517d0465b584adc693b"
},
{
"url": "https://git.kernel.org/stable/c/c81ea0222eaaafdd77348e27d1e84a1b8cfc0c99"
},
{
"url": "https://git.kernel.org/stable/c/0c97ff108f825a70c3bb29d65ddf0a013d231bb9"
},
{
"url": "https://git.kernel.org/stable/c/a7226fd61def74b60dd8e47ec84cabafc39d575b"
},
{
"url": "https://git.kernel.org/stable/c/799900f01792cf8b525a44764f065f83fcafd468"
}
],
"title": "dmaengine: idxd: fix device leaks on compat bind and unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71163",
"datePublished": "2026-01-25T14:36:10.142Z",
"dateReserved": "2026-01-13T15:30:19.666Z",
"dateUpdated": "2026-02-09T08:36:02.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40253 (GCVE-0-2025-40253)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/ctcm: Fix double-kfree
The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally
from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.
After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'
frees it again.
Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
Bug detected by the clang static analyzer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 467ddbbe7e749d558f13e640f50f546149c930b3 Version: 4d3c6d741816539b57fa1110c3f765a8c176d7b4 Version: 2bd57101c3ecf3f8c0da1d26c2b6ad511adc6d50 Version: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a Version: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a Version: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a Version: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a Version: 0c0b20587b9f25a2ad14db7f80ebe49bdf29920a Version: 36933de59f67029e5739a98393891f9b94f27e0f Version: d886b4292a1c5b4facdb2dfdc31f0fecc71df898 Version: 4c9ba0fed125deba8416b995b0c274b0804c0c24 Version: ea0053af5dab4d63a9c44563973fb2f3bfd9eb2b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/ctcm_mpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06f1dd1de0d33dbfbd2e1fc9fc57d8895f730de2",
"status": "affected",
"version": "467ddbbe7e749d558f13e640f50f546149c930b3",
"versionType": "git"
},
{
"lessThan": "6bf8ccaabce8cebb6cb1f255c93d0acdfe95c17a",
"status": "affected",
"version": "4d3c6d741816539b57fa1110c3f765a8c176d7b4",
"versionType": "git"
},
{
"lessThan": "7616e2eee679746d526c7f5befd4eedb995935b5",
"status": "affected",
"version": "2bd57101c3ecf3f8c0da1d26c2b6ad511adc6d50",
"versionType": "git"
},
{
"lessThan": "43096dab8cc60fc39133205fd149a54d3acebea8",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"lessThan": "3b177b2ded563df16f6d5920671ffcfe5915d472",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"lessThan": "b9dbfb1b5699f9f1e4991f96741bdf9047147589",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"lessThan": "7ff76f8dc6b550f8d16487bf3cebc278be720b5c",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"lessThan": "da02a1824884d6c84c5e5b5ac373b0c9e3288ec2",
"status": "affected",
"version": "0c0b20587b9f25a2ad14db7f80ebe49bdf29920a",
"versionType": "git"
},
{
"status": "affected",
"version": "36933de59f67029e5739a98393891f9b94f27e0f",
"versionType": "git"
},
{
"status": "affected",
"version": "d886b4292a1c5b4facdb2dfdc31f0fecc71df898",
"versionType": "git"
},
{
"status": "affected",
"version": "4c9ba0fed125deba8416b995b0c274b0804c0c24",
"versionType": "git"
},
{
"status": "affected",
"version": "ea0053af5dab4d63a9c44563973fb2f3bfd9eb2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/ctcm_mpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.280",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ctcm: Fix double-kfree\n\nThe function \u0027mpc_rcvd_sweep_req(mpcginfo)\u0027 is called conditionally\nfrom function \u0027ctcmpc_unpack_skb\u0027. It frees passed mpcginfo.\nAfter that a call to function \u0027kfree\u0027 in function \u0027ctcmpc_unpack_skb\u0027\nfrees it again.\n\nRemove \u0027kfree\u0027 call in function \u0027mpc_rcvd_sweep_req(mpcginfo)\u0027.\n\nBug detected by the clang static analyzer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:50.378Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06f1dd1de0d33dbfbd2e1fc9fc57d8895f730de2"
},
{
"url": "https://git.kernel.org/stable/c/6bf8ccaabce8cebb6cb1f255c93d0acdfe95c17a"
},
{
"url": "https://git.kernel.org/stable/c/7616e2eee679746d526c7f5befd4eedb995935b5"
},
{
"url": "https://git.kernel.org/stable/c/43096dab8cc60fc39133205fd149a54d3acebea8"
},
{
"url": "https://git.kernel.org/stable/c/3b177b2ded563df16f6d5920671ffcfe5915d472"
},
{
"url": "https://git.kernel.org/stable/c/b9dbfb1b5699f9f1e4991f96741bdf9047147589"
},
{
"url": "https://git.kernel.org/stable/c/7ff76f8dc6b550f8d16487bf3cebc278be720b5c"
},
{
"url": "https://git.kernel.org/stable/c/da02a1824884d6c84c5e5b5ac373b0c9e3288ec2"
}
],
"title": "s390/ctcm: Fix double-kfree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40253",
"datePublished": "2025-12-04T16:08:15.340Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:50.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68177 (GCVE-0-2025-68177)
Vulnerability from cvelistv5
Published
2025-12-16 13:42
Modified
2026-01-02 15:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq/longhaul: handle NULL policy in longhaul_exit
longhaul_exit() was calling cpufreq_cpu_get(0) without checking
for a NULL policy pointer. On some systems, this could lead to a
NULL dereference and a kernel warning or panic.
This patch adds a check using unlikely() and returns early if the
policy is NULL.
Bugzilla: #219962
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 Version: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 Version: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 Version: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 Version: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 Version: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 Version: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 Version: b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/longhaul.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b02352dd2e6cca98777714cc2a27553191df70db",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "956b56d17a89775e4957bbddefa45cd3c6c71000",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "55cf586b9556863e3c2a45460aba71bcb2be5bcd",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "fd93e1d71b3b14443092919be12b1abf08de35eb",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "8d6791c480f22d6e9a566eaa77336d3d37c5c591",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "64adabb6d9d51b7e7c02fe733346a2c4dd738488",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "809cf2a7794ca4c14c304b349f4c3ae220701ce4",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
},
{
"lessThan": "592532a77b736b5153e0c2e4c74aa50af0a352ab",
"status": "affected",
"version": "b43a7ffbf33be7e4d3b10b7714ee663ea2c52fe2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/longhaul.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq/longhaul: handle NULL policy in longhaul_exit\n\nlonghaul_exit() was calling cpufreq_cpu_get(0) without checking\nfor a NULL policy pointer. On some systems, this could lead to a\nNULL dereference and a kernel warning or panic.\n\nThis patch adds a check using unlikely() and returns early if the\npolicy is NULL.\n\nBugzilla: #219962"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:11.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b02352dd2e6cca98777714cc2a27553191df70db"
},
{
"url": "https://git.kernel.org/stable/c/956b56d17a89775e4957bbddefa45cd3c6c71000"
},
{
"url": "https://git.kernel.org/stable/c/55cf586b9556863e3c2a45460aba71bcb2be5bcd"
},
{
"url": "https://git.kernel.org/stable/c/fd93e1d71b3b14443092919be12b1abf08de35eb"
},
{
"url": "https://git.kernel.org/stable/c/8d6791c480f22d6e9a566eaa77336d3d37c5c591"
},
{
"url": "https://git.kernel.org/stable/c/64adabb6d9d51b7e7c02fe733346a2c4dd738488"
},
{
"url": "https://git.kernel.org/stable/c/809cf2a7794ca4c14c304b349f4c3ae220701ce4"
},
{
"url": "https://git.kernel.org/stable/c/592532a77b736b5153e0c2e4c74aa50af0a352ab"
}
],
"title": "cpufreq/longhaul: handle NULL policy in longhaul_exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68177",
"datePublished": "2025-12-16T13:42:56.336Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2026-01-02T15:34:11.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71068 (GCVE-0-2025-71068)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
svcrdma: bound check rq_pages index in inline path
svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without
verifying rc_curpage stays within the allocated page array. Add guards
before the first use and after advancing to a new page.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "7ba826aae1d43212f3baa53a2175ad949e21926e",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "5f140b525180c628db8fa6c897f138194a2de417",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "da1ccfc4c452541584a4eae89e337cfa21be6d5a",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "d1bea0ce35b6095544ee82bb54156fc62c067e58",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: bound check rq_pages index in inline path\n\nsvc_rdma_copy_inline_range indexed rqstp-\u003erq_pages[rc_curpage] without\nverifying rc_curpage stays within the allocated page array. Add guards\nbefore the first use and after advancing to a new page."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:18.772Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9"
},
{
"url": "https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e"
},
{
"url": "https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417"
},
{
"url": "https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a"
},
{
"url": "https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58"
}
],
"title": "svcrdma: bound check rq_pages index in inline path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71068",
"datePublished": "2026-01-13T15:31:23.283Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-02-09T08:34:18.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71157 (GCVE-0-2025-71157)
Vulnerability from cvelistv5
Published
2026-01-23 14:25
Modified
2026-02-09 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: always drop device refcount in ib_del_sub_device_and_put()
Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add
support to add/delete a sub IB device through netlink") grabs a reference
using ib_device_get_by_index() before calling ib_del_sub_device_and_put(),
we need to drop that reference before returning -EOPNOTSUPP error.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20436f2742a92b7afeb2504eb559a98d2196b001",
"status": "affected",
"version": "bca51197620a257e2954be99b16f05115c3b2630",
"versionType": "git"
},
{
"lessThan": "fe8d456080423b9ed410469fbd1e2098d3acce2b",
"status": "affected",
"version": "bca51197620a257e2954be99b16f05115c3b2630",
"versionType": "git"
},
{
"lessThan": "fa3c411d21ebc26ffd175c7256c37cefa35020aa",
"status": "affected",
"version": "bca51197620a257e2954be99b16f05115c3b2630",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: always drop device refcount in ib_del_sub_device_and_put()\n\nSince nldev_deldev() (introduced by commit 060c642b2ab8 (\"RDMA/nldev: Add\nsupport to add/delete a sub IB device through netlink\") grabs a reference\nusing ib_device_get_by_index() before calling ib_del_sub_device_and_put(),\nwe need to drop that reference before returning -EOPNOTSUPP error."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:55.551Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20436f2742a92b7afeb2504eb559a98d2196b001"
},
{
"url": "https://git.kernel.org/stable/c/fe8d456080423b9ed410469fbd1e2098d3acce2b"
},
{
"url": "https://git.kernel.org/stable/c/fa3c411d21ebc26ffd175c7256c37cefa35020aa"
}
],
"title": "RDMA/core: always drop device refcount in ib_del_sub_device_and_put()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71157",
"datePublished": "2026-01-23T14:25:56.458Z",
"dateReserved": "2026-01-13T15:30:19.663Z",
"dateUpdated": "2026-02-09T08:35:55.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71091 (GCVE-0-2025-71091)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: fix check for port enabled in team_queue_override_port_prio_changed()
There has been a syzkaller bug reported recently with the following
trace:
list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:59!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_rcu include/linux/rculist.h:178 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
team_option_set drivers/net/team/team_core.c:376 [inline]
team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmsg+0x16d/0x220 net/socket.c:2716
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The problem is in this flow:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
-> team_port_disable()
-> team_queue_override_port_del()
-> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
-> team_queue_override_port_prio_changed()
-> checks: port disabled && queue_id != 0
-> calls del - hits the BUG as it is removed already
To fix this, change the check in team_queue_override_port_prio_changed()
so it returns early if port is not enabled.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6c31ff366c1116823e77019bae3e92e9d77a49f4 Version: 6c31ff366c1116823e77019bae3e92e9d77a49f4 Version: 6c31ff366c1116823e77019bae3e92e9d77a49f4 Version: 6c31ff366c1116823e77019bae3e92e9d77a49f4 Version: 6c31ff366c1116823e77019bae3e92e9d77a49f4 Version: 6c31ff366c1116823e77019bae3e92e9d77a49f4 Version: 6c31ff366c1116823e77019bae3e92e9d77a49f4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25029e813c4aae5fcf7118e8dd5c56e382b9a1a3",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "f820e438b8ec2a8354e70e75145f05fe45500d97",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "53a727a8bfd78c739e130a781192d0f6f8e03d39",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "6bfb62b6010a16112dcae52f490e5e0e6abe12a3",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "107d245f84cb4f55f597d31eda34b42a2b7d6952",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "b71187648ef2349254673d0523fdf96d1fe3d758",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "932ac51d9953eaf77a1252f79b656d4ca86163c6",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix check for port enabled in team_queue_override_port_prio_changed()\n\nThere has been a syzkaller bug reported recently with the following\ntrace:\n\nlist_del corruption, ffff888058bea080-\u003eprev is LIST_POISON2 (dead000000000122)\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:59!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59\nCode: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 \u003c0f\u003e 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d49f370 EFLAGS: 00010286\nRAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000\nRDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005\nRBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230\nR13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480\nFS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n __list_del_entry_valid include/linux/list.h:132 [inline]\n __list_del_entry include/linux/list.h:223 [inline]\n list_del_rcu include/linux/rculist.h:178 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]\n team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]\n team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534\n team_option_set drivers/net/team/team_core.c:376 [inline]\n team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653\n genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684\n __sys_sendmsg+0x16d/0x220 net/socket.c:2716\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe problem is in this flow:\n1) Port is enabled, queue_id != 0, in qom_list\n2) Port gets disabled\n -\u003e team_port_disable()\n -\u003e team_queue_override_port_del()\n -\u003e del (removed from list)\n3) Port is disabled, queue_id != 0, not in any list\n4) Priority changes\n -\u003e team_queue_override_port_prio_changed()\n -\u003e checks: port disabled \u0026\u0026 queue_id != 0\n -\u003e calls del - hits the BUG as it is removed already\n\nTo fix this, change the check in team_queue_override_port_prio_changed()\nso it returns early if port is not enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:43.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3"
},
{
"url": "https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97"
},
{
"url": "https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39"
},
{
"url": "https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3"
},
{
"url": "https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952"
},
{
"url": "https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758"
},
{
"url": "https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6"
}
],
"title": "team: fix check for port enabled in team_queue_override_port_prio_changed()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71091",
"datePublished": "2026-01-13T15:34:52.431Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:43.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40127 (GCVE-0-2025-40127)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: ks-sa - fix division by zero in ks_sa_rng_init
Fix division by zero in ks_sa_rng_init caused by missing clock
pointer initialization. The clk_get_rate() call is performed on
an uninitialized clk pointer, resulting in division by zero when
calculating delay values.
Add clock initialization code before using the clock.
drivers/char/hw_random/ks-sa-rng.c | 7 +++++++
1 file changed, 7 insertions(+)
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b Version: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b Version: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b Version: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b Version: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b Version: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b Version: 6d01d8511dceb9cd40f72eb102b7d24f0b2e997b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/ks-sa-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "692a04a1e0cde1d80a33df0078c755cf02cd7268",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "d76b099011fa056950f63d05ebb6160991242f6a",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "eec7e0e19c1fa75dc65e25aa6a21ef24a03849af",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "f4238064379a91e71a9c258996acac43c50c2094",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
},
{
"lessThan": "612b1dfeb414dfa780a6316014ceddf9a74ff5c0",
"status": "affected",
"version": "6d01d8511dceb9cd40f72eb102b7d24f0b2e997b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/ks-sa-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: ks-sa - fix division by zero in ks_sa_rng_init\n\nFix division by zero in ks_sa_rng_init caused by missing clock\npointer initialization. The clk_get_rate() call is performed on\nan uninitialized clk pointer, resulting in division by zero when\ncalculating delay values.\n\nAdd clock initialization code before using the clock.\n\n\n drivers/char/hw_random/ks-sa-rng.c | 7 +++++++\n 1 file changed, 7 insertions(+)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:33.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/692a04a1e0cde1d80a33df0078c755cf02cd7268"
},
{
"url": "https://git.kernel.org/stable/c/d76b099011fa056950f63d05ebb6160991242f6a"
},
{
"url": "https://git.kernel.org/stable/c/eec7e0e19c1fa75dc65e25aa6a21ef24a03849af"
},
{
"url": "https://git.kernel.org/stable/c/f4238064379a91e71a9c258996acac43c50c2094"
},
{
"url": "https://git.kernel.org/stable/c/2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2"
},
{
"url": "https://git.kernel.org/stable/c/55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2"
},
{
"url": "https://git.kernel.org/stable/c/612b1dfeb414dfa780a6316014ceddf9a74ff5c0"
}
],
"title": "hwrng: ks-sa - fix division by zero in ks_sa_rng_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40127",
"datePublished": "2025-11-12T10:23:20.775Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:33.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40261 (GCVE-0-2025-40261)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2026-04-18 08:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
nvme_fc_delete_assocation() waits for pending I/O to complete before
returning, and an error can cause ->ioerr_work to be queued after
cancel_work_sync() had been called. Move the call to cancel_work_sync() to
be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
[ 1135.917705] ------------[ cut here ]------------
[ 1135.922336] kernel BUG at lib/list_debug.c:52!
[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
[ 1135.950969] Workqueue: 0x0 (nvme-wq)
[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[ 1136.055910] PKRU: 55555554
[ 1136.058623] Call Trace:
[ 1136.061074] <TASK>
[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0
[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0
[ 1136.071898] ? move_linked_works+0x4a/0xa0
[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.081744] ? __die_body.cold+0x8/0x12
[ 1136.085584] ? die+0x2e/0x50
[ 1136.088469] ? do_trap+0xca/0x110
[ 1136.091789] ? do_error_trap+0x65/0x80
[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.101289] ? exc_invalid_op+0x50/0x70
[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20
[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.120806] move_linked_works+0x4a/0xa0
[ 1136.124733] worker_thread+0x216/0x3a0
[ 1136.128485] ? __pfx_worker_thread+0x10/0x10
[ 1136.132758] kthread+0xfa/0x240
[ 1136.135904] ? __pfx_kthread+0x10/0x10
[ 1136.139657] ret_from_fork+0x31/0x50
[ 1136.143236] ? __pfx_kthread+0x10/0x10
[ 1136.146988] ret_from_fork_asm+0x1a/0x30
[ 1136.150915] </TASK>
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f1cd8c40936ff2b560e1f35159dd6a4602b558e5 Version: 19fce0470f05031e6af36e49ce222d0f0050d432 Version: 19fce0470f05031e6af36e49ce222d0f0050d432 Version: 19fce0470f05031e6af36e49ce222d0f0050d432 Version: 19fce0470f05031e6af36e49ce222d0f0050d432 Version: 19fce0470f05031e6af36e49ce222d0f0050d432 Version: 19fce0470f05031e6af36e49ce222d0f0050d432 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f48cd7f35da07fc067cef926bb7f6f4735de37b",
"status": "affected",
"version": "f1cd8c40936ff2b560e1f35159dd6a4602b558e5",
"versionType": "git"
},
{
"lessThan": "60ba31330faf5677e2eebef7eac62ea9e42a200d",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "9610a2c162ef729a3988213a4604376e492f6f44",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "33f64600a12055219bda38b55320c62cdeda9167",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "48ae433c6cc6985f647b1b37d8bb002972cf9bdb",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "fbd5741a556eaaa63d0908132ca79d335b58b1cd",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "0a2c5495b6d1ecb0fa18ef6631450f391a888256",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()\n\nnvme_fc_delete_assocation() waits for pending I/O to complete before\nreturning, and an error can cause -\u003eioerr_work to be queued after\ncancel_work_sync() had been called. Move the call to cancel_work_sync() to\nbe after nvme_fc_delete_association() to ensure -\u003eioerr_work is not running\nwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:\n\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8-\u003enext is NULL\n[ 1135.917705] ------------[ cut here ]------------\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\n[ 1135.950969] Workqueue: 0x0 (nvme-wq)\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff \u003c0f\u003e 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\n[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\n[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1136.055910] PKRU: 55555554\n[ 1136.058623] Call Trace:\n[ 1136.061074] \u003cTASK\u003e\n[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.071898] ? move_linked_works+0x4a/0xa0\n[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.081744] ? __die_body.cold+0x8/0x12\n[ 1136.085584] ? die+0x2e/0x50\n[ 1136.088469] ? do_trap+0xca/0x110\n[ 1136.091789] ? do_error_trap+0x65/0x80\n[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.101289] ? exc_invalid_op+0x50/0x70\n[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20\n[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.120806] move_linked_works+0x4a/0xa0\n[ 1136.124733] worker_thread+0x216/0x3a0\n[ 1136.128485] ? __pfx_worker_thread+0x10/0x10\n[ 1136.132758] kthread+0xfa/0x240\n[ 1136.135904] ? __pfx_kthread+0x10/0x10\n[ 1136.139657] ret_from_fork+0x31/0x50\n[ 1136.143236] ? __pfx_kthread+0x10/0x10\n[ 1136.146988] ret_from_fork_asm+0x1a/0x30\n[ 1136.150915] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:07.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f48cd7f35da07fc067cef926bb7f6f4735de37b"
},
{
"url": "https://git.kernel.org/stable/c/60ba31330faf5677e2eebef7eac62ea9e42a200d"
},
{
"url": "https://git.kernel.org/stable/c/9610a2c162ef729a3988213a4604376e492f6f44"
},
{
"url": "https://git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167"
},
{
"url": "https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdb"
},
{
"url": "https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cd"
},
{
"url": "https://git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256"
}
],
"title": "nvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40261",
"datePublished": "2025-12-04T16:08:21.345Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2026-04-18T08:57:07.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40060 (GCVE-0-2025-40060)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2025-12-01 06:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: trbe: Return NULL pointer for allocation failures
When the TRBE driver fails to allocate a buffer, it currently returns
the error code "-ENOMEM". However, the caller etm_setup_aux() only
checks for a NULL pointer, so it misses the error. As a result, the
driver continues and eventually causes a kernel panic.
Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on
allocation failures. This allows that the callers can properly handle
the failure.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 Version: 3fbf7f011f2426dac8c982f1d2ef469a7959a524 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cef047e0a55cb07906fcaae99170f19a9c0bb6c2",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "fe53a726d5edf864e80b490780cc135fc1adece9",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "9768536f82600a05ce901e31ccfabd92c027ff71",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "296da78494633e1ab5e2e74173a9c8683b04aa6b",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "f505a165f1c7cd37b4cb6952042a5984693a4067",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
},
{
"lessThan": "8a55c161f7f9c1aa1c70611b39830d51c83ef36d",
"status": "affected",
"version": "3fbf7f011f2426dac8c982f1d2ef469a7959a524",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: trbe: Return NULL pointer for allocation failures\n\nWhen the TRBE driver fails to allocate a buffer, it currently returns\nthe error code \"-ENOMEM\". However, the caller etm_setup_aux() only\nchecks for a NULL pointer, so it misses the error. As a result, the\ndriver continues and eventually causes a kernel panic.\n\nFix this by returning a NULL pointer from arm_trbe_alloc_buffer() on\nallocation failures. This allows that the callers can properly handle\nthe failure."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:09.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cef047e0a55cb07906fcaae99170f19a9c0bb6c2"
},
{
"url": "https://git.kernel.org/stable/c/fe53a726d5edf864e80b490780cc135fc1adece9"
},
{
"url": "https://git.kernel.org/stable/c/9768536f82600a05ce901e31ccfabd92c027ff71"
},
{
"url": "https://git.kernel.org/stable/c/296da78494633e1ab5e2e74173a9c8683b04aa6b"
},
{
"url": "https://git.kernel.org/stable/c/f505a165f1c7cd37b4cb6952042a5984693a4067"
},
{
"url": "https://git.kernel.org/stable/c/8a55c161f7f9c1aa1c70611b39830d51c83ef36d"
}
],
"title": "coresight: trbe: Return NULL pointer for allocation failures",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40060",
"datePublished": "2025-10-28T11:48:32.775Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2025-12-01T06:17:09.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40233 (GCVE-0-2025-40233)
Vulnerability from cvelistv5
Published
2025-12-04 15:31
Modified
2025-12-04 15:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: clear extent cache after moving/defragmenting extents
The extent map cache can become stale when extents are moved or
defragmented, causing subsequent operations to see outdated extent flags.
This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().
The problem occurs when:
1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED
2. ioctl(FITRIM) triggers ocfs2_move_extents()
3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)
4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()
which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)
5. The extent map cache is not invalidated after the move
6. Later write() operations read stale cached flags (0x2) but disk has
updated flags (0x0), causing a mismatch
7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers
Fix by clearing the extent map cache after each extent move/defrag
operation in __ocfs2_move_extents_range(). This ensures subsequent
operations read fresh extent data from disk.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 53069d4e76954e2e63c1b3c501051c6fbcf7298c Version: 53069d4e76954e2e63c1b3c501051c6fbcf7298c Version: 53069d4e76954e2e63c1b3c501051c6fbcf7298c Version: 53069d4e76954e2e63c1b3c501051c6fbcf7298c Version: 53069d4e76954e2e63c1b3c501051c6fbcf7298c Version: 53069d4e76954e2e63c1b3c501051c6fbcf7298c Version: 53069d4e76954e2e63c1b3c501051c6fbcf7298c Version: 53069d4e76954e2e63c1b3c501051c6fbcf7298c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93166bc53c0e3587058327a4121daea34b4fecd5",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "a7ee72286efba1d407c6f15a0528e43593fb7007",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "93b1ab422f1966b71561158e1aedce4ec100f357",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "e92af7737a94a729225d2a5d180eaaa77fe0bbc1",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "aa6a21409dd6221bb268b56bb410e031c632ff9a",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "bb69928ed578f881e68d26aaf1a8f6e7faab3b44",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "a21750df2f6169af6e039a3bb4893d6c9564e48d",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "78a63493f8e352296dbc7cb7b3f4973105e8679e",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: clear extent cache after moving/defragmenting extents\n\nThe extent map cache can become stale when extents are moved or\ndefragmented, causing subsequent operations to see outdated extent flags. \nThis triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().\n\nThe problem occurs when:\n1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED\n2. ioctl(FITRIM) triggers ocfs2_move_extents()\n3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)\n4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()\n which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)\n5. The extent map cache is not invalidated after the move\n6. Later write() operations read stale cached flags (0x2) but disk has\n updated flags (0x0), causing a mismatch\n7. BUG_ON(!(rec-\u003ee_flags \u0026 OCFS2_EXT_REFCOUNTED)) triggers\n\nFix by clearing the extent map cache after each extent move/defrag\noperation in __ocfs2_move_extents_range(). This ensures subsequent\noperations read fresh extent data from disk."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:23.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93166bc53c0e3587058327a4121daea34b4fecd5"
},
{
"url": "https://git.kernel.org/stable/c/a7ee72286efba1d407c6f15a0528e43593fb7007"
},
{
"url": "https://git.kernel.org/stable/c/93b1ab422f1966b71561158e1aedce4ec100f357"
},
{
"url": "https://git.kernel.org/stable/c/e92af7737a94a729225d2a5d180eaaa77fe0bbc1"
},
{
"url": "https://git.kernel.org/stable/c/aa6a21409dd6221bb268b56bb410e031c632ff9a"
},
{
"url": "https://git.kernel.org/stable/c/bb69928ed578f881e68d26aaf1a8f6e7faab3b44"
},
{
"url": "https://git.kernel.org/stable/c/a21750df2f6169af6e039a3bb4893d6c9564e48d"
},
{
"url": "https://git.kernel.org/stable/c/78a63493f8e352296dbc7cb7b3f4973105e8679e"
}
],
"title": "ocfs2: clear extent cache after moving/defragmenting extents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40233",
"datePublished": "2025-12-04T15:31:23.891Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:23.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38556 (GCVE-0-2025-38556)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2026-01-19 12:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Harden s32ton() against conversion to 0 bits
Testing by the syzbot fuzzer showed that the HID core gets a
shift-out-of-bounds exception when it tries to convert a 32-bit
quantity to a 0-bit quantity. Ideally this should never occur, but
there are buggy devices and some might have a report field with size
set to zero; we shouldn't reject the report or the device just because
of that.
Instead, harden the s32ton() routine so that it returns a reasonable
result instead of crashing when it is called with the number of bits
set to 0 -- the same as what snto32() does.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cdf6c708717c5c6897d0800a1793e83757c7491",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "eeeaba737919bdce9885e2a00ac2912f61a3684d",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "3c86548a20d7bc2861aa4de044991a327bebad1a",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "810189546cb6c8f36443ed091d91f1f5d2fc2ec7",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "d3b504146c111548ab60b6ef7aad00bfb1db05a2",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "8b4a94b1510f6a46ec48494b52ee8f67eb4fc836",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "865ad8469fa24de1559f247d9426ab01e5ce3a56",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Harden s32ton() against conversion to 0 bits\n\nTesting by the syzbot fuzzer showed that the HID core gets a\nshift-out-of-bounds exception when it tries to convert a 32-bit\nquantity to a 0-bit quantity. Ideally this should never occur, but\nthere are buggy devices and some might have a report field with size\nset to zero; we shouldn\u0027t reject the report or the device just because\nof that.\n\nInstead, harden the s32ton() routine so that it returns a reasonable\nresult instead of crashing when it is called with the number of bits\nset to 0 -- the same as what snto32() does."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:03.142Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cdf6c708717c5c6897d0800a1793e83757c7491"
},
{
"url": "https://git.kernel.org/stable/c/eeeaba737919bdce9885e2a00ac2912f61a3684d"
},
{
"url": "https://git.kernel.org/stable/c/3c86548a20d7bc2861aa4de044991a327bebad1a"
},
{
"url": "https://git.kernel.org/stable/c/810189546cb6c8f36443ed091d91f1f5d2fc2ec7"
},
{
"url": "https://git.kernel.org/stable/c/d3b504146c111548ab60b6ef7aad00bfb1db05a2"
},
{
"url": "https://git.kernel.org/stable/c/8b4a94b1510f6a46ec48494b52ee8f67eb4fc836"
},
{
"url": "https://git.kernel.org/stable/c/865ad8469fa24de1559f247d9426ab01e5ce3a56"
},
{
"url": "https://git.kernel.org/stable/c/a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd"
}
],
"title": "HID: core: Harden s32ton() against conversion to 0 bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38556",
"datePublished": "2025-08-19T17:02:34.929Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2026-01-19T12:18:03.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68796 (GCVE-0-2025-68796)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating zero-sized extent in extent cache
As syzbot reported:
F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
------------[ cut here ]------------
kernel BUG at fs/f2fs/extent_cache.c:678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
Call Trace:
<TASK>
f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
vfs_fallocate+0x669/0x7e0 fs/open.c:342
ioctl_preallocate fs/ioctl.c:289 [inline]
file_ioctl+0x611/0x780 fs/ioctl.c:-1
do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
__do_sys_ioctl fs/ioctl.c:595 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07bc58eec9
In error path of f2fs_zero_range(), it may add a zero-sized extent
into extent cache, it should be avoided.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6e9619499f53b22ead972e476c0e8341c997d929 Version: 6e9619499f53b22ead972e476c0e8341c997d929 Version: 6e9619499f53b22ead972e476c0e8341c997d929 Version: 6e9619499f53b22ead972e476c0e8341c997d929 Version: 6e9619499f53b22ead972e476c0e8341c997d929 Version: 6e9619499f53b22ead972e476c0e8341c997d929 Version: 6e9619499f53b22ead972e476c0e8341c997d929 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c07bd262c13ca922adad6e7613d48505f97f548",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "72c58a82e6fb7b327e8701f5786c70c3edc56188",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "e50b81c50fcbe63f50405bb40f262162ff32af88",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "efe3371001f50a2d6f746b50bdc6f9f26b2089ec",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "4f244c64efe628d277b916f47071adf480eb8646",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "bac23833220a1f8fe8dfab7e16efa20ff64d7589",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "7c37c79510329cd951a4dedf3f7bf7e2b18dccec",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating zero-sized extent in extent cache\n\nAs syzbot reported:\n\nF2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/extent_cache.c:678!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678\nCall Trace:\n \u003cTASK\u003e\n f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085\n f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]\n f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737\n f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030\n vfs_fallocate+0x669/0x7e0 fs/open.c:342\n ioctl_preallocate fs/ioctl.c:289 [inline]\n file_ioctl+0x611/0x780 fs/ioctl.c:-1\n do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576\n __do_sys_ioctl fs/ioctl.c:595 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f07bc58eec9\n\nIn error path of f2fs_zero_range(), it may add a zero-sized extent\ninto extent cache, it should be avoided."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:44.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548"
},
{
"url": "https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188"
},
{
"url": "https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88"
},
{
"url": "https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec"
},
{
"url": "https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646"
},
{
"url": "https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589"
},
{
"url": "https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec"
}
],
"title": "f2fs: fix to avoid updating zero-sized extent in extent cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68796",
"datePublished": "2026-01-13T15:29:06.892Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-02-09T08:33:44.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40317 (GCVE-0-2025-40317)
Vulnerability from cvelistv5
Published
2025-12-08 00:46
Modified
2025-12-08 00:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap: slimbus: fix bus_context pointer in regmap init calls
Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in
wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap.
That commit breaks audio playback, for instance, on sdm845 Thundercomm
Dragonboard 845c board:
Unable to handle kernel paging request at virtual address ffff8000847cbad4
...
CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT
Hardware name: Thundercomm Dragonboard 845c (DT)
...
Call trace:
slim_xfer_msg+0x24/0x1ac [slimbus] (P)
slim_read+0x48/0x74 [slimbus]
regmap_slimbus_read+0x18/0x24 [regmap_slimbus]
_regmap_raw_read+0xe8/0x174
_regmap_bus_read+0x44/0x80
_regmap_read+0x60/0xd8
_regmap_update_bits+0xf4/0x140
_regmap_select_page+0xa8/0x124
_regmap_raw_write_impl+0x3b8/0x65c
_regmap_bus_raw_write+0x60/0x80
_regmap_write+0x58/0xc0
regmap_write+0x4c/0x80
wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]
snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]
__soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]
dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]
dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]
snd_pcm_hw_params+0x124/0x464 [snd_pcm]
snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]
snd_pcm_ioctl+0x34/0x4c [snd_pcm]
__arm64_sys_ioctl+0xac/0x104
invoke_syscall+0x48/0x104
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xec
el0t_64_sync_handler+0xa0/0xf0
el0t_64_sync+0x198/0x19c
The __devm_regmap_init_slimbus() started to be used instead of
__regmap_init_slimbus() after the commit mentioned above and turns out
the incorrect bus_context pointer (3rd argument) was used in
__devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal
to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or
the first user of devm_regmap_init_slimbus() but we should fix it till
the point where __devm_regmap_init_slimbus() was introduced therefore
two "Fixes" tags.
While at this, also correct the same argument in __regmap_init_slimbus().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7d6f7fb053ad543da74119df3c4cd7bb46220471 Version: 7d6f7fb053ad543da74119df3c4cd7bb46220471 Version: 7d6f7fb053ad543da74119df3c4cd7bb46220471 Version: 7d6f7fb053ad543da74119df3c4cd7bb46220471 Version: 7d6f7fb053ad543da74119df3c4cd7bb46220471 Version: 7d6f7fb053ad543da74119df3c4cd7bb46220471 Version: 7d6f7fb053ad543da74119df3c4cd7bb46220471 Version: 7d6f7fb053ad543da74119df3c4cd7bb46220471 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-slimbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0f05129e5734ff3fd14b2c242709314d9ca5433",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "d979639f099c6e51f06ce4dd8d8e56364d6c17ba",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "8143e4075d131c528540417a51966f6697be14eb",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "a16e92f8d7dc7371e68f17a9926cb92d2244be7b",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "b65f3303349eaee333e47d2a99045aa12fa0c3a7",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "434f7349a1f00618a620b316f091bd13a12bc8d2",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-slimbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: slimbus: fix bus_context pointer in regmap init calls\n\nCommit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in\nwcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap.\nThat commit breaks audio playback, for instance, on sdm845 Thundercomm\nDragonboard 845c board:\n\n Unable to handle kernel paging request at virtual address ffff8000847cbad4\n ...\n CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT\n Hardware name: Thundercomm Dragonboard 845c (DT)\n ...\n Call trace:\n slim_xfer_msg+0x24/0x1ac [slimbus] (P)\n slim_read+0x48/0x74 [slimbus]\n regmap_slimbus_read+0x18/0x24 [regmap_slimbus]\n _regmap_raw_read+0xe8/0x174\n _regmap_bus_read+0x44/0x80\n _regmap_read+0x60/0xd8\n _regmap_update_bits+0xf4/0x140\n _regmap_select_page+0xa8/0x124\n _regmap_raw_write_impl+0x3b8/0x65c\n _regmap_bus_raw_write+0x60/0x80\n _regmap_write+0x58/0xc0\n regmap_write+0x4c/0x80\n wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]\n snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]\n __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]\n dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]\n dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]\n snd_pcm_hw_params+0x124/0x464 [snd_pcm]\n snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]\n snd_pcm_ioctl+0x34/0x4c [snd_pcm]\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xec\n el0t_64_sync_handler+0xa0/0xf0\n el0t_64_sync+0x198/0x19c\n\nThe __devm_regmap_init_slimbus() started to be used instead of\n__regmap_init_slimbus() after the commit mentioned above and turns out\nthe incorrect bus_context pointer (3rd argument) was used in\n__devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal\nto \u0026slimbus-\u003edev). Correct it. The wcd934x codec seems to be the only or\nthe first user of devm_regmap_init_slimbus() but we should fix it till\nthe point where __devm_regmap_init_slimbus() was introduced therefore\ntwo \"Fixes\" tags.\n\nWhile at this, also correct the same argument in __regmap_init_slimbus()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:44.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0f05129e5734ff3fd14b2c242709314d9ca5433"
},
{
"url": "https://git.kernel.org/stable/c/02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1"
},
{
"url": "https://git.kernel.org/stable/c/d979639f099c6e51f06ce4dd8d8e56364d6c17ba"
},
{
"url": "https://git.kernel.org/stable/c/8143e4075d131c528540417a51966f6697be14eb"
},
{
"url": "https://git.kernel.org/stable/c/2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c"
},
{
"url": "https://git.kernel.org/stable/c/a16e92f8d7dc7371e68f17a9926cb92d2244be7b"
},
{
"url": "https://git.kernel.org/stable/c/b65f3303349eaee333e47d2a99045aa12fa0c3a7"
},
{
"url": "https://git.kernel.org/stable/c/434f7349a1f00618a620b316f091bd13a12bc8d2"
}
],
"title": "regmap: slimbus: fix bus_context pointer in regmap init calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40317",
"datePublished": "2025-12-08T00:46:44.287Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:44.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22058 (GCVE-0-2025-22058)
Vulnerability from cvelistv5
Published
2025-04-16 14:12
Modified
2025-11-03 19:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp: Fix memory accounting leak.
Matt Dowling reported a weird UDP memory usage issue.
Under normal operation, the UDP memory usage reported in /proc/net/sockstat
remains close to zero. However, it occasionally spiked to 524,288 pages
and never dropped. Moreover, the value doubled when the application was
terminated. Finally, it caused intermittent packet drops.
We can reproduce the issue with the script below [0]:
1. /proc/net/sockstat reports 0 pages
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 0
2. Run the script till the report reaches 524,288
# python3 test.py & sleep 5
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT
3. Kill the socket and confirm the number never drops
# pkill python3 && sleep 5
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 524288
4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()
# python3 test.py & sleep 1 && pkill python3
5. The number doubles
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 1048577
The application set INT_MAX to SO_RCVBUF, which triggered an integer
overflow in udp_rmem_release().
When a socket is close()d, udp_destruct_common() purges its receive
queue and sums up skb->truesize in the queue. This total is calculated
and stored in a local unsigned integer variable.
The total size is then passed to udp_rmem_release() to adjust memory
accounting. However, because the function takes a signed integer
argument, the total size can wrap around, causing an overflow.
Then, the released amount is calculated as follows:
1) Add size to sk->sk_forward_alloc.
2) Round down sk->sk_forward_alloc to the nearest lower multiple of
PAGE_SIZE and assign it to amount.
3) Subtract amount from sk->sk_forward_alloc.
4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated().
When the issue occurred, the total in udp_destruct_common() was 2147484480
(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().
At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and
2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't
see a warning in inet_sock_destruct(). However, udp_memory_allocated
ends up doubling at 4).
Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for
memory_allocated"), memory usage no longer doubles immediately after
a socket is close()d because __sk_mem_reduce_allocated() caches the
amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP
socket receives a packet, the subtraction takes effect, causing UDP
memory usage to double.
This issue makes further memory allocation fail once the socket's
sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet
drops.
To prevent this issue, let's use unsigned int for the calculation and
call sk_forward_alloc_add() only once for the small delta.
Note that first_packet_length() also potentially has the same problem.
[0]:
from socket import *
SO_RCVBUFFORCE = 33
INT_MAX = (2 ** 31) - 1
s = socket(AF_INET, SOCK_DGRAM)
s.bind(('', 0))
s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)
c = socket(AF_INET, SOCK_DGRAM)
c.connect(s.getsockname())
data = b'a' * 100
while True:
c.send(data)
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb Version: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:42.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13550273171f5108b1ac572d8f72f4256ab92854",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "d9c8266ce536e8314d84370e983afcaa36fb19cf",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "c3ad8c30b6b109283d2643e925f8e65f2e7ab34e",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "9122fec396950cc866137af7154b1d0d989be52e",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "aeef6456692c6f11ae53d278df64f1316a2a405a",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "a116b271bf3cb72c8155b6b7f39083c1b80dcd00",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "c4bac6c398118fba79e32b1cd01db22dbfe29fbf",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "3836029448e76c1e6f77cc5fe0adc09b018b5fa8",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "df207de9d9e7a4d92f8567e2c539d9c8c12fd99d",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix memory accounting leak.\n\nMatt Dowling reported a weird UDP memory usage issue.\n\nUnder normal operation, the UDP memory usage reported in /proc/net/sockstat\nremains close to zero. However, it occasionally spiked to 524,288 pages\nand never dropped. Moreover, the value doubled when the application was\nterminated. Finally, it caused intermittent packet drops.\n\nWe can reproduce the issue with the script below [0]:\n\n 1. /proc/net/sockstat reports 0 pages\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 0\n\n 2. Run the script till the report reaches 524,288\n\n # python3 test.py \u0026 sleep 5\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 524288 \u003c-- (INT_MAX + 1) \u003e\u003e PAGE_SHIFT\n\n 3. Kill the socket and confirm the number never drops\n\n # pkill python3 \u0026\u0026 sleep 5\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 524288\n\n 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()\n\n # python3 test.py \u0026 sleep 1 \u0026\u0026 pkill python3\n\n 5. The number doubles\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 1048577\n\nThe application set INT_MAX to SO_RCVBUF, which triggered an integer\noverflow in udp_rmem_release().\n\nWhen a socket is close()d, udp_destruct_common() purges its receive\nqueue and sums up skb-\u003etruesize in the queue. This total is calculated\nand stored in a local unsigned integer variable.\n\nThe total size is then passed to udp_rmem_release() to adjust memory\naccounting. However, because the function takes a signed integer\nargument, the total size can wrap around, causing an overflow.\n\nThen, the released amount is calculated as follows:\n\n 1) Add size to sk-\u003esk_forward_alloc.\n 2) Round down sk-\u003esk_forward_alloc to the nearest lower multiple of\n PAGE_SIZE and assign it to amount.\n 3) Subtract amount from sk-\u003esk_forward_alloc.\n 4) Pass amount \u003e\u003e PAGE_SHIFT to __sk_mem_reduce_allocated().\n\nWhen the issue occurred, the total in udp_destruct_common() was 2147484480\n(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().\n\nAt 1) sk-\u003esk_forward_alloc is changed from 3264 to -2147479552, and\n2) sets -2147479552 to amount. 3) reverts the wraparound, so we don\u0027t\nsee a warning in inet_sock_destruct(). However, udp_memory_allocated\nends up doubling at 4).\n\nSince commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for\nmemory_allocated\"), memory usage no longer doubles immediately after\na socket is close()d because __sk_mem_reduce_allocated() caches the\namount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP\nsocket receives a packet, the subtraction takes effect, causing UDP\nmemory usage to double.\n\nThis issue makes further memory allocation fail once the socket\u0027s\nsk-\u003esk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet\ndrops.\n\nTo prevent this issue, let\u0027s use unsigned int for the calculation and\ncall sk_forward_alloc_add() only once for the small delta.\n\nNote that first_packet_length() also potentially has the same problem.\n\n[0]:\nfrom socket import *\n\nSO_RCVBUFFORCE = 33\nINT_MAX = (2 ** 31) - 1\n\ns = socket(AF_INET, SOCK_DGRAM)\ns.bind((\u0027\u0027, 0))\ns.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)\n\nc = socket(AF_INET, SOCK_DGRAM)\nc.connect(s.getsockname())\n\ndata = b\u0027a\u0027 * 100\n\nwhile True:\n c.send(data)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:19:03.041Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13550273171f5108b1ac572d8f72f4256ab92854"
},
{
"url": "https://git.kernel.org/stable/c/d9c8266ce536e8314d84370e983afcaa36fb19cf"
},
{
"url": "https://git.kernel.org/stable/c/c3ad8c30b6b109283d2643e925f8e65f2e7ab34e"
},
{
"url": "https://git.kernel.org/stable/c/9122fec396950cc866137af7154b1d0d989be52e"
},
{
"url": "https://git.kernel.org/stable/c/aeef6456692c6f11ae53d278df64f1316a2a405a"
},
{
"url": "https://git.kernel.org/stable/c/a116b271bf3cb72c8155b6b7f39083c1b80dcd00"
},
{
"url": "https://git.kernel.org/stable/c/c4bac6c398118fba79e32b1cd01db22dbfe29fbf"
},
{
"url": "https://git.kernel.org/stable/c/3836029448e76c1e6f77cc5fe0adc09b018b5fa8"
},
{
"url": "https://git.kernel.org/stable/c/df207de9d9e7a4d92f8567e2c539d9c8c12fd99d"
}
],
"title": "udp: Fix memory accounting leak.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22058",
"datePublished": "2025-04-16T14:12:14.876Z",
"dateReserved": "2024-12-29T08:45:45.812Z",
"dateUpdated": "2025-11-03T19:41:42.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40164 (GCVE-0-2025-40164)
Vulnerability from cvelistv5
Published
2025-11-12 10:26
Modified
2026-02-06 16:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix using smp_processor_id() in preemptible code warnings
Syzbot reported the following warning:
BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
__dev_set_mtu net/core/dev.c:9443 [inline]
netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
sock_do_ioctl+0x19d/0x280 net/socket.c:1204
sock_ioctl+0x42f/0x6a0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
For historical and portability reasons, the netif_rx() is usually
run in the softirq or interrupt context, this commit therefore add
local_bh_disable/enable() protection in the usbnet_resume_rx().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab Version: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab Version: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab Version: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab Version: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab Version: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65d04291adf7c59338f87aab9c6fe0bfa9993e64",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "f45fffae5e2549bd0a4670cc52a15ad54c9f121e",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "17fbad93879e87a334062882b45fa727ba1b3dd7",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "d1944bab8e0c1511f0cbf364aa06547735bb0ddb",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "0134c7bff14bd50314a4f92b182850ddfc38e255",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "327cd4b68b4398b6c24f10eb2b2533ffbfc10185",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix using smp_processor_id() in preemptible code warnings\n\nSyzbot reported the following warning:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879\ncaller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\nCPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49\n usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\n usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708\n usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417\n __dev_set_mtu net/core/dev.c:9443 [inline]\n netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496\n netif_set_mtu+0xb0/0x160 net/core/dev.c:9520\n dev_set_mtu+0xae/0x170 net/core/dev_api.c:247\n dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572\n dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821\n sock_do_ioctl+0x19d/0x280 net/socket.c:1204\n sock_ioctl+0x42f/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFor historical and portability reasons, the netif_rx() is usually\nrun in the softirq or interrupt context, this commit therefore add\nlocal_bh_disable/enable() protection in the usbnet_resume_rx()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:29.699Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65d04291adf7c59338f87aab9c6fe0bfa9993e64"
},
{
"url": "https://git.kernel.org/stable/c/f45fffae5e2549bd0a4670cc52a15ad54c9f121e"
},
{
"url": "https://git.kernel.org/stable/c/17fbad93879e87a334062882b45fa727ba1b3dd7"
},
{
"url": "https://git.kernel.org/stable/c/d1944bab8e0c1511f0cbf364aa06547735bb0ddb"
},
{
"url": "https://git.kernel.org/stable/c/0134c7bff14bd50314a4f92b182850ddfc38e255"
},
{
"url": "https://git.kernel.org/stable/c/327cd4b68b4398b6c24f10eb2b2533ffbfc10185"
}
],
"title": "usbnet: Fix using smp_processor_id() in preemptible code warnings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40164",
"datePublished": "2025-11-12T10:26:23.482Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-02-06T16:31:29.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49465 (GCVE-0-2022-49465)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2026-01-19 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-throttle: Set BIO_THROTTLED when bio has been throttled
1.In current process, all bio will set the BIO_THROTTLED flag
after __blk_throtl_bio().
2.If bio needs to be throttled, it will start the timer and
stop submit bio directly. Bio will submit in
blk_throtl_dispatch_work_fn() when the timer expires.But in
the current process, if bio is throttled. The BIO_THROTTLED
will be set to bio after timer start. If the bio has been
completed, it may cause use-after-free blow.
BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70
Read of size 2 at addr ffff88801b8902d4 by task fio/26380
dump_stack+0x9b/0xce
print_address_description.constprop.6+0x3e/0x60
kasan_report.cold.9+0x22/0x3a
blk_throtl_bio+0x12f0/0x2c70
submit_bio_checks+0x701/0x1550
submit_bio_noacct+0x83/0xc80
submit_bio+0xa7/0x330
mpage_readahead+0x380/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 26380:
kasan_save_stack+0x19/0x40
__kasan_kmalloc.constprop.2+0xc1/0xd0
kmem_cache_alloc+0x146/0x440
mempool_alloc+0x125/0x2f0
bio_alloc_bioset+0x353/0x590
mpage_alloc+0x3b/0x240
do_mpage_readpage+0xddf/0x1ef0
mpage_readahead+0x264/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 0:
kasan_save_stack+0x19/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x1b/0x30
__kasan_slab_free+0x111/0x160
kmem_cache_free+0x94/0x460
mempool_free+0xd6/0x320
bio_free+0xe0/0x130
bio_put+0xab/0xe0
bio_endio+0x3a6/0x5d0
blk_update_request+0x590/0x1370
scsi_end_request+0x7d/0x400
scsi_io_completion+0x1aa/0xe50
scsi_softirq_done+0x11b/0x240
blk_mq_complete_request+0xd4/0x120
scsi_mq_done+0xf0/0x200
virtscsi_vq_done+0xbc/0x150
vring_interrupt+0x179/0x390
__handle_irq_event_percpu+0xf7/0x490
handle_irq_event_percpu+0x7b/0x160
handle_irq_event+0xcc/0x170
handle_edge_irq+0x215/0xb20
common_interrupt+0x60/0x120
asm_common_interrupt+0x1e/0x40
Fix this by move BIO_THROTTLED set into the queue_lock.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:02.824581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24ba80efaf6e772f6132465fad08e20fb4767da7",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "047ea38d41d90d748bca812a43339632f52ba715",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "0cfc8a0fb07cde61915e4a77c4794c47de3114a4",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "935fa666534d7b7185e8c6b0191cd06281be4290",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "5a011f889b4832aa80c2a872a5aade5c48d2756f",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: Set BIO_THROTTLED when bio has been throttled\n\n1.In current process, all bio will set the BIO_THROTTLED flag\nafter __blk_throtl_bio().\n\n2.If bio needs to be throttled, it will start the timer and\nstop submit bio directly. Bio will submit in\nblk_throtl_dispatch_work_fn() when the timer expires.But in\nthe current process, if bio is throttled. The BIO_THROTTLED\nwill be set to bio after timer start. If the bio has been\ncompleted, it may cause use-after-free blow.\n\nBUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70\nRead of size 2 at addr ffff88801b8902d4 by task fio/26380\n\n dump_stack+0x9b/0xce\n print_address_description.constprop.6+0x3e/0x60\n kasan_report.cold.9+0x22/0x3a\n blk_throtl_bio+0x12f0/0x2c70\n submit_bio_checks+0x701/0x1550\n submit_bio_noacct+0x83/0xc80\n submit_bio+0xa7/0x330\n mpage_readahead+0x380/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nAllocated by task 26380:\n kasan_save_stack+0x19/0x40\n __kasan_kmalloc.constprop.2+0xc1/0xd0\n kmem_cache_alloc+0x146/0x440\n mempool_alloc+0x125/0x2f0\n bio_alloc_bioset+0x353/0x590\n mpage_alloc+0x3b/0x240\n do_mpage_readpage+0xddf/0x1ef0\n mpage_readahead+0x264/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nFreed by task 0:\n kasan_save_stack+0x19/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x1b/0x30\n __kasan_slab_free+0x111/0x160\n kmem_cache_free+0x94/0x460\n mempool_free+0xd6/0x320\n bio_free+0xe0/0x130\n bio_put+0xab/0xe0\n bio_endio+0x3a6/0x5d0\n blk_update_request+0x590/0x1370\n scsi_end_request+0x7d/0x400\n scsi_io_completion+0x1aa/0xe50\n scsi_softirq_done+0x11b/0x240\n blk_mq_complete_request+0xd4/0x120\n scsi_mq_done+0xf0/0x200\n virtscsi_vq_done+0xbc/0x150\n vring_interrupt+0x179/0x390\n __handle_irq_event_percpu+0xf7/0x490\n handle_irq_event_percpu+0x7b/0x160\n handle_irq_event+0xcc/0x170\n handle_edge_irq+0x215/0xb20\n common_interrupt+0x60/0x120\n asm_common_interrupt+0x1e/0x40\n\nFix this by move BIO_THROTTLED set into the queue_lock."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:17:39.645Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24ba80efaf6e772f6132465fad08e20fb4767da7"
},
{
"url": "https://git.kernel.org/stable/c/047ea38d41d90d748bca812a43339632f52ba715"
},
{
"url": "https://git.kernel.org/stable/c/0cfc8a0fb07cde61915e4a77c4794c47de3114a4"
},
{
"url": "https://git.kernel.org/stable/c/935fa666534d7b7185e8c6b0191cd06281be4290"
},
{
"url": "https://git.kernel.org/stable/c/5a011f889b4832aa80c2a872a5aade5c48d2756f"
}
],
"title": "blk-throttle: Set BIO_THROTTLED when bio has been throttled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49465",
"datePublished": "2025-02-26T02:13:10.975Z",
"dateReserved": "2025-02-26T02:08:31.577Z",
"dateUpdated": "2026-01-19T12:17:39.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40111 (GCVE-0-2025-40111)
Vulnerability from cvelistv5
Published
2025-11-12 01:07
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix Use-after-free in validation
Nodes stored in the validation duplicates hashtable come from an arena
allocator that is cleared at the end of vmw_execbuf_process. All nodes
are expected to be cleared in vmw_validation_drop_ht but this node escaped
because its resource was destroyed prematurely.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 64ad2abfe9a628ce79859d072704bd1ef7682044 Version: 64ad2abfe9a628ce79859d072704bd1ef7682044 Version: 64ad2abfe9a628ce79859d072704bd1ef7682044 Version: 64ad2abfe9a628ce79859d072704bd1ef7682044 Version: 64ad2abfe9a628ce79859d072704bd1ef7682044 Version: 64ad2abfe9a628ce79859d072704bd1ef7682044 Version: 64ad2abfe9a628ce79859d072704bd1ef7682044 Version: 64ad2abfe9a628ce79859d072704bd1ef7682044 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_validation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1822e5287b7dfa59d0af966756ebf1dc652b60ee",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "fb7165e5f3b3b10721ff70553583ad12e90e447a",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "4c918f9d1ccccc0e092f43dcb2d8266f54d7340b",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "9a8eaca539708ca532747f606d231f70e684e8ca",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "867bda5d95d36f10da398fd4409e21c7002b2332",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "655a2f29bfc21105c80bf8a7d7aafa6eca8b4496",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "65608e991c2d771c13404e5c7ae122ac3c3357a4",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
},
{
"lessThan": "dfe1323ab3c8a4dd5625ebfdba44dc47df84512a",
"status": "affected",
"version": "64ad2abfe9a628ce79859d072704bd1ef7682044",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_validation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix Use-after-free in validation\n\nNodes stored in the validation duplicates hashtable come from an arena\nallocator that is cleared at the end of vmw_execbuf_process. All nodes\nare expected to be cleared in vmw_validation_drop_ht but this node escaped\nbecause its resource was destroyed prematurely."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:14.678Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1822e5287b7dfa59d0af966756ebf1dc652b60ee"
},
{
"url": "https://git.kernel.org/stable/c/fb7165e5f3b3b10721ff70553583ad12e90e447a"
},
{
"url": "https://git.kernel.org/stable/c/4c918f9d1ccccc0e092f43dcb2d8266f54d7340b"
},
{
"url": "https://git.kernel.org/stable/c/9a8eaca539708ca532747f606d231f70e684e8ca"
},
{
"url": "https://git.kernel.org/stable/c/867bda5d95d36f10da398fd4409e21c7002b2332"
},
{
"url": "https://git.kernel.org/stable/c/655a2f29bfc21105c80bf8a7d7aafa6eca8b4496"
},
{
"url": "https://git.kernel.org/stable/c/65608e991c2d771c13404e5c7ae122ac3c3357a4"
},
{
"url": "https://git.kernel.org/stable/c/dfe1323ab3c8a4dd5625ebfdba44dc47df84512a"
}
],
"title": "drm/vmwgfx: Fix Use-after-free in validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40111",
"datePublished": "2025-11-12T01:07:25.203Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2025-12-01T06:18:14.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40263 (GCVE-0-2025-40263)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2026-01-02 15:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: cros_ec_keyb - fix an invalid memory access
If cros_ec_keyb_register_matrix() isn't called (due to
`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
NULL. An invalid memory access is observed in cros_ec_keyb_process()
when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
in such case.
Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
...
x3 : 0000000000000000 x2 : 0000000000000000
x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
input_event
cros_ec_keyb_work
blocking_notifier_call_chain
ec_irq_thread
It's still unknown about why the kernel receives such malformed event,
in any cases, the kernel shouldn't access `ckdev->idev` and friends if
the driver doesn't intend to initialize them.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/cros_ec_keyb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d74864291cb8bd784d44d1d02e87109cf88666bb",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "9cf59f4724a9ee06ebb06c76b8678ac322e850b7",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "6d81068685154535af06163eb585d6d9663ec7ec",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "2d251c15c27e2dd16d6318425d2f7260cbd47d39",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "e08969c4d65ac31297fcb4d31d4808c789152f68",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/cros_ec_keyb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cros_ec_keyb - fix an invalid memory access\n\nIf cros_ec_keyb_register_matrix() isn\u0027t called (due to\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev-\u003eidev` remains\nNULL. An invalid memory access is observed in cros_ec_keyb_process()\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\nin such case.\n\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\n ...\n x3 : 0000000000000000 x2 : 0000000000000000\n x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n input_event\n cros_ec_keyb_work\n blocking_notifier_call_chain\n ec_irq_thread\n\nIt\u0027s still unknown about why the kernel receives such malformed event,\nin any cases, the kernel shouldn\u0027t access `ckdev-\u003eidev` and friends if\nthe driver doesn\u0027t intend to initialize them."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:17.342Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb"
},
{
"url": "https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7"
},
{
"url": "https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec"
},
{
"url": "https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39"
},
{
"url": "https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68"
}
],
"title": "Input: cros_ec_keyb - fix an invalid memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40263",
"datePublished": "2025-12-04T16:08:23.327Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2026-01-02T15:33:17.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71162 (GCVE-0-2025-71162)
Vulnerability from cvelistv5
Published
2026-01-25 14:36
Modified
2026-02-09 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: tegra-adma: Fix use-after-free
A use-after-free bug exists in the Tegra ADMA driver when audio streams
are terminated, particularly during XRUN conditions. The issue occurs
when the DMA buffer is freed by tegra_adma_terminate_all() before the
vchan completion tasklet finishes accessing it.
The race condition follows this sequence:
1. DMA transfer completes, triggering an interrupt that schedules the
completion tasklet (tasklet has not executed yet)
2. Audio playback stops, calling tegra_adma_terminate_all() which
frees the DMA buffer memory via kfree()
3. The scheduled tasklet finally executes, calling vchan_complete()
which attempts to access the already-freed memory
Since tasklets can execute at any time after being scheduled, there is
no guarantee that the buffer will remain valid when vchan_complete()
runs.
Fix this by properly synchronizing the virtual channel completion:
- Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
descriptors as terminated instead of freeing the descriptor.
- Add the callback tegra_adma_synchronize() that calls
vchan_synchronize() which kills any pending tasklets and frees any
terminated descriptors.
Crash logs:
[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
[ 337.427562] Call trace:
[ 337.427564] dump_backtrace+0x0/0x320
[ 337.427571] show_stack+0x20/0x30
[ 337.427575] dump_stack_lvl+0x68/0x84
[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
[ 337.427590] kasan_report+0x1f4/0x210
[ 337.427598] __asan_load8+0xa0/0xd0
[ 337.427603] vchan_complete+0x124/0x3b0
[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
[ 337.427617] tasklet_action+0x30/0x40
[ 337.427623] __do_softirq+0x1a0/0x5c4
[ 337.427628] irq_exit+0x110/0x140
[ 337.427633] handle_domain_irq+0xa4/0xe0
[ 337.427640] gic_handle_irq+0x64/0x160
[ 337.427644] call_on_irq_stack+0x20/0x4c
[ 337.427649] do_interrupt_handler+0x7c/0x90
[ 337.427654] el1_interrupt+0x30/0x80
[ 337.427659] el1h_64_irq_handler+0x18/0x30
[ 337.427663] el1h_64_irq+0x7c/0x80
[ 337.427667] cpuidle_enter_state+0xe4/0x540
[ 337.427674] cpuidle_enter+0x54/0x80
[ 337.427679] do_idle+0x2e0/0x380
[ 337.427685] cpu_startup_entry+0x2c/0x70
[ 337.427690] rest_init+0x114/0x130
[ 337.427695] arch_call_rest_init+0x18/0x24
[ 337.427702] start_kernel+0x380/0x3b4
[ 337.427706] __primary_switched+0xc0/0xc8
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f46b195799b5cb05338e7c44cb3617eacb56d755 Version: f46b195799b5cb05338e7c44cb3617eacb56d755 Version: f46b195799b5cb05338e7c44cb3617eacb56d755 Version: f46b195799b5cb05338e7c44cb3617eacb56d755 Version: f46b195799b5cb05338e7c44cb3617eacb56d755 Version: f46b195799b5cb05338e7c44cb3617eacb56d755 Version: f46b195799b5cb05338e7c44cb3617eacb56d755 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/tegra210-adma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f8d1d66a952d0396671e1f21ff8127a4d14fb4e",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "76992310f80776b4d1f7f8915f59b92883a3e44c",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "ae3eed72de682ddbba507ed2d6b848c21a6b721e",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "59cb421b0902fbef2b9512ae8ba198a20f26b41f",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "be655c3736b3546f39bc8116ffbf2a3b6cac96c4",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "2efd07a7c36949e6fa36a69183df24d368bf9e96",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/tegra210-adma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n 1. DMA transfer completes, triggering an interrupt that schedules the\n completion tasklet (tasklet has not executed yet)\n 2. Audio playback stops, calling tegra_adma_terminate_all() which\n frees the DMA buffer memory via kfree()\n 3. The scheduled tasklet finally executes, calling vchan_complete()\n which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n vchan_synchronize() which kills any pending tasklets and frees any\n terminated descriptors.\n\nCrash logs:\n[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[ 337.427562] Call trace:\n[ 337.427564] dump_backtrace+0x0/0x320\n[ 337.427571] show_stack+0x20/0x30\n[ 337.427575] dump_stack_lvl+0x68/0x84\n[ 337.427584] print_address_description.constprop.0+0x74/0x2b8\n[ 337.427590] kasan_report+0x1f4/0x210\n[ 337.427598] __asan_load8+0xa0/0xd0\n[ 337.427603] vchan_complete+0x124/0x3b0\n[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0\n[ 337.427617] tasklet_action+0x30/0x40\n[ 337.427623] __do_softirq+0x1a0/0x5c4\n[ 337.427628] irq_exit+0x110/0x140\n[ 337.427633] handle_domain_irq+0xa4/0xe0\n[ 337.427640] gic_handle_irq+0x64/0x160\n[ 337.427644] call_on_irq_stack+0x20/0x4c\n[ 337.427649] do_interrupt_handler+0x7c/0x90\n[ 337.427654] el1_interrupt+0x30/0x80\n[ 337.427659] el1h_64_irq_handler+0x18/0x30\n[ 337.427663] el1h_64_irq+0x7c/0x80\n[ 337.427667] cpuidle_enter_state+0xe4/0x540\n[ 337.427674] cpuidle_enter+0x54/0x80\n[ 337.427679] do_idle+0x2e0/0x380\n[ 337.427685] cpu_startup_entry+0x2c/0x70\n[ 337.427690] rest_init+0x114/0x130\n[ 337.427695] arch_call_rest_init+0x18/0x24\n[ 337.427702] start_kernel+0x380/0x3b4\n[ 337.427706] __primary_switched+0xc0/0xc8"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:00.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f8d1d66a952d0396671e1f21ff8127a4d14fb4e"
},
{
"url": "https://git.kernel.org/stable/c/76992310f80776b4d1f7f8915f59b92883a3e44c"
},
{
"url": "https://git.kernel.org/stable/c/ae3eed72de682ddbba507ed2d6b848c21a6b721e"
},
{
"url": "https://git.kernel.org/stable/c/59cb421b0902fbef2b9512ae8ba198a20f26b41f"
},
{
"url": "https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca"
},
{
"url": "https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4"
},
{
"url": "https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96"
}
],
"title": "dmaengine: tegra-adma: Fix use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71162",
"datePublished": "2026-01-25T14:36:09.029Z",
"dateReserved": "2026-01-13T15:30:19.666Z",
"dateUpdated": "2026-02-09T08:36:00.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40194 (GCVE-0-2025-40194)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-12-01 06:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
The cpufreq_cpu_put() call in update_qos_request() takes place too early
because the latter subsequently calls freq_qos_update_request() that
indirectly accesses the policy object in question through the QoS request
object passed to it.
Fortunately, update_qos_request() is called under intel_pstate_driver_lock,
so this issue does not matter for changing the intel_pstate operation
mode, but it theoretically can cause a crash to occur on CPU device hot
removal (which currently can only happen in virt, but it is formally
supported nevertheless).
Address this issue by modifying update_qos_request() to drop the
reference to the policy later.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/intel_pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15ac9579ebdaf22a37d7f60b3a8efc1029732ef9",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "bc26564bcc659beb6d977cd6eb394041ec2f2851",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "0a58d3e77b22b087a57831c87cafd360e144a5bd",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "69a18ff6c60e8e113420f15355fad862cb45d38e",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "57e4a6aadf12578b96a038373cffd54b3a58b092",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/intel_pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()\n\nThe cpufreq_cpu_put() call in update_qos_request() takes place too early\nbecause the latter subsequently calls freq_qos_update_request() that\nindirectly accesses the policy object in question through the QoS request\nobject passed to it.\n\nFortunately, update_qos_request() is called under intel_pstate_driver_lock,\nso this issue does not matter for changing the intel_pstate operation\nmode, but it theoretically can cause a crash to occur on CPU device hot\nremoval (which currently can only happen in virt, but it is formally\nsupported nevertheless).\n\nAddress this issue by modifying update_qos_request() to drop the\nreference to the policy later."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:54.506Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15ac9579ebdaf22a37d7f60b3a8efc1029732ef9"
},
{
"url": "https://git.kernel.org/stable/c/bc26564bcc659beb6d977cd6eb394041ec2f2851"
},
{
"url": "https://git.kernel.org/stable/c/ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4"
},
{
"url": "https://git.kernel.org/stable/c/0a58d3e77b22b087a57831c87cafd360e144a5bd"
},
{
"url": "https://git.kernel.org/stable/c/69a18ff6c60e8e113420f15355fad862cb45d38e"
},
{
"url": "https://git.kernel.org/stable/c/ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3"
},
{
"url": "https://git.kernel.org/stable/c/57e4a6aadf12578b96a038373cffd54b3a58b092"
},
{
"url": "https://git.kernel.org/stable/c/69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467"
}
],
"title": "cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40194",
"datePublished": "2025-11-12T21:56:32.025Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:19:54.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40040 (GCVE-0-2025-40040)
Vulnerability from cvelistv5
Published
2025-10-28 11:48
Modified
2026-01-26 16:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/ksm: fix flag-dropping behavior in ksm_madvise
syzkaller discovered the following crash: (kernel BUG)
[ 44.607039] ------------[ cut here ]------------
[ 44.607422] kernel BUG at mm/userfaultfd.c:2067!
[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)
[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460
<snip other registers, drop unreliable trace>
[ 44.617726] Call Trace:
[ 44.617926] <TASK>
[ 44.619284] userfaultfd_release+0xef/0x1b0
[ 44.620976] __fput+0x3f9/0xb60
[ 44.621240] fput_close_sync+0x110/0x210
[ 44.622222] __x64_sys_close+0x8f/0x120
[ 44.622530] do_syscall_64+0x5b/0x2f0
[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 44.623244] RIP: 0033:0x7f365bb3f227
Kernel panics because it detects UFFD inconsistency during
userfaultfd_release_all(). Specifically, a VMA which has a valid pointer
to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags.
The inconsistency is caused in ksm_madvise(): when user calls madvise()
with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,
it accidentally clears all flags stored in the upper 32 bits of
vma->vm_flags.
Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and
int are 32-bit wide. This setup causes the following mishap during the &=
~VM_MERGEABLE assignment.
VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000.
After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then
promoted to unsigned long before the & operation. This promotion fills
upper 32 bits with leading 0s, as we're doing unsigned conversion (and
even for a signed conversion, this wouldn't help as the leading bit is 0).
& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff
instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears
the upper 32-bits of its value.
Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the
BIT() macro.
Note: other VM_* flags are not affected: This only happens to the
VM_MERGEABLE flag, as the other VM_* flags are all constants of type int
and after ~ operation, they end up with leading 1 and are thus converted
to unsigned long with leading 1s.
Note 2:
After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is
no longer a kernel BUG, but a WARNING at the same place:
[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067
but the root-cause (flag-drop) remains the same.
[akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 63c17fb8e5a46a16e10e82005748837fd11a2024 Version: 63c17fb8e5a46a16e10e82005748837fd11a2024 Version: 63c17fb8e5a46a16e10e82005748837fd11a2024 Version: 63c17fb8e5a46a16e10e82005748837fd11a2024 Version: 63c17fb8e5a46a16e10e82005748837fd11a2024 Version: 63c17fb8e5a46a16e10e82005748837fd11a2024 Version: 63c17fb8e5a46a16e10e82005748837fd11a2024 Version: 63c17fb8e5a46a16e10e82005748837fd11a2024 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/mm.h",
"rust/bindings/bindings_helper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "850f1ea245bdc0ce6a3fd36bfb80d8cf9647cb71",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "788e5385d0ff69cdba1cabccb9dab8d9647b9239",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "b69f19244c2b6475c8a6eb72f0fb0d53509e48cd",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "41cb9fd904fe0c39d52e82dd84dc3c96b7aa9693",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "92b82e232b8d8b116ac6e57aeae7a6033db92c60",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "ac50c6e0a8f91a02b681af81abb2362fbb67cc18",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "76385629f45740b7888f8fcd83bde955b10f61fe",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
},
{
"lessThan": "f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93",
"status": "affected",
"version": "63c17fb8e5a46a16e10e82005748837fd11a2024",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/mm.h",
"rust/bindings/bindings_helper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ksm: fix flag-dropping behavior in ksm_madvise\n\nsyzkaller discovered the following crash: (kernel BUG)\n\n[ 44.607039] ------------[ cut here ]------------\n[ 44.607422] kernel BUG at mm/userfaultfd.c:2067!\n[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)\n[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460\n\n\u003csnip other registers, drop unreliable trace\u003e\n\n[ 44.617726] Call Trace:\n[ 44.617926] \u003cTASK\u003e\n[ 44.619284] userfaultfd_release+0xef/0x1b0\n[ 44.620976] __fput+0x3f9/0xb60\n[ 44.621240] fput_close_sync+0x110/0x210\n[ 44.622222] __x64_sys_close+0x8f/0x120\n[ 44.622530] do_syscall_64+0x5b/0x2f0\n[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 44.623244] RIP: 0033:0x7f365bb3f227\n\nKernel panics because it detects UFFD inconsistency during\nuserfaultfd_release_all(). Specifically, a VMA which has a valid pointer\nto vma-\u003evm_userfaultfd_ctx, but no UFFD flags in vma-\u003evm_flags.\n\nThe inconsistency is caused in ksm_madvise(): when user calls madvise()\nwith MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,\nit accidentally clears all flags stored in the upper 32 bits of\nvma-\u003evm_flags.\n\nAssuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and\nint are 32-bit wide. This setup causes the following mishap during the \u0026=\n~VM_MERGEABLE assignment.\n\nVM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000\u00270000. \nAfter ~ is applied, it becomes 0x7fff\u0027ffff unsigned int, which is then\npromoted to unsigned long before the \u0026 operation. This promotion fills\nupper 32 bits with leading 0s, as we\u0027re doing unsigned conversion (and\neven for a signed conversion, this wouldn\u0027t help as the leading bit is 0).\n\u0026 operation thus ends up AND-ing vm_flags with 0x0000\u00270000\u00277fff\u0027ffff\ninstead of intended 0xffff\u0027ffff\u00277fff\u0027ffff and hence accidentally clears\nthe upper 32-bits of its value.\n\nFix it by changing `VM_MERGEABLE` constant to unsigned long, using the\nBIT() macro.\n\nNote: other VM_* flags are not affected: This only happens to the\nVM_MERGEABLE flag, as the other VM_* flags are all constants of type int\nand after ~ operation, they end up with leading 1 and are thus converted\nto unsigned long with leading 1s.\n\nNote 2:\nAfter commit 31defc3b01d9 (\"userfaultfd: remove (VM_)BUG_ON()s\"), this is\nno longer a kernel BUG, but a WARNING at the same place:\n\n[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067\n\nbut the root-cause (flag-drop) remains the same.\n\n[akpm@linux-foundation.org: rust bindgen wasn\u0027t able to handle BIT(), from Miguel]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:41.532Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/850f1ea245bdc0ce6a3fd36bfb80d8cf9647cb71"
},
{
"url": "https://git.kernel.org/stable/c/788e5385d0ff69cdba1cabccb9dab8d9647b9239"
},
{
"url": "https://git.kernel.org/stable/c/b69f19244c2b6475c8a6eb72f0fb0d53509e48cd"
},
{
"url": "https://git.kernel.org/stable/c/41cb9fd904fe0c39d52e82dd84dc3c96b7aa9693"
},
{
"url": "https://git.kernel.org/stable/c/92b82e232b8d8b116ac6e57aeae7a6033db92c60"
},
{
"url": "https://git.kernel.org/stable/c/ac50c6e0a8f91a02b681af81abb2362fbb67cc18"
},
{
"url": "https://git.kernel.org/stable/c/76385629f45740b7888f8fcd83bde955b10f61fe"
},
{
"url": "https://git.kernel.org/stable/c/f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93"
}
],
"title": "mm/ksm: fix flag-dropping behavior in ksm_madvise",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40040",
"datePublished": "2025-10-28T11:48:20.395Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2026-01-26T16:17:41.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68787 (GCVE-0-2025-68787)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix memory leak in nr_sendmsg()
syzbot reported a memory leak [1].
When function sock_alloc_send_skb() return NULL in nr_output(), the
original skb is not freed, which was allocated in nr_sendmsg(). Fix this
by freeing it before return.
[1]
BUG: memory leak
unreferenced object 0xffff888129f35500 (size 240):
comm "syz.0.17", pid 6119, jiffies 4294944652
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....
backtrace (crc 1456a3e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
sock_alloc_send_skb include/net/sock.h:1859 [inline]
nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x293/0x2a0 net/socket.c:1195
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0x143/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_out.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f77e538ac4e3adb1882d5bccb7bfdc111b5963d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "09efbf54eeaecebe882af603c9939a4b1bb9567e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "73839497bbde5cd4fd02bbd9c8bc2640780ae65d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "156a0f6341dce634a825db49ca20b48b1ae9bcc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d1ccba4b171cd504ecfa47349cb9864fc9d687c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "613d12dd794e078be8ff3cf6b62a6b9acf7f4619",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_out.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix memory leak in nr_sendmsg()\n\nsyzbot reported a memory leak [1].\n\nWhen function sock_alloc_send_skb() return NULL in nr_output(), the\noriginal skb is not freed, which was allocated in nr_sendmsg(). Fix this\nby freeing it before return.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888129f35500 (size 240):\n comm \"syz.0.17\", pid 6119, jiffies 4294944652\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....\n backtrace (crc 1456a3e4):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4983 [inline]\n slab_alloc_node mm/slub.c:5288 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671\n sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965\n sock_alloc_send_skb include/net/sock.h:1859 [inline]\n nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n sock_write_iter+0x293/0x2a0 net/socket.c:1195\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0x143/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:34.092Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3"
},
{
"url": "https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e"
},
{
"url": "https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d"
},
{
"url": "https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1"
},
{
"url": "https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c"
},
{
"url": "https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977"
},
{
"url": "https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619"
}
],
"title": "netrom: Fix memory leak in nr_sendmsg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68787",
"datePublished": "2026-01-13T15:29:00.344Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:34.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40264 (GCVE-0-2025-40264)
Vulnerability from cvelistv5
Published
2025-12-04 16:08
Modified
2025-12-06 21:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
be2net: pass wrb_params in case of OS2BMC
be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL
at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL
pointer when processing a workaround for specific packet, as commit
bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6
packet") states.
The correct way would be to pass the wrb_params from be_xmit().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 760c295e0e8d982917d004c9095cff61c0cbd803 Version: 760c295e0e8d982917d004c9095cff61c0cbd803 Version: 760c295e0e8d982917d004c9095cff61c0cbd803 Version: 760c295e0e8d982917d004c9095cff61c0cbd803 Version: 760c295e0e8d982917d004c9095cff61c0cbd803 Version: 760c295e0e8d982917d004c9095cff61c0cbd803 Version: 760c295e0e8d982917d004c9095cff61c0cbd803 Version: 760c295e0e8d982917d004c9095cff61c0cbd803 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "f499dfa5c98e92e72dd454eb95a1000a448f3405",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "630360c6724e27f1aa494ba3fffe1e38c4205284",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "012ee5882b1830db469194466a210768ed207388",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "ce0a3699244aca3acb659f143c9cb1327b210f89",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "1ecd86ec6efddb59a10c927e8e679f183bb9113e",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
},
{
"lessThan": "7d277a7a58578dd62fd546ddaef459ec24ccae36",
"status": "affected",
"version": "760c295e0e8d982917d004c9095cff61c0cbd803",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: pass wrb_params in case of OS2BMC\n\nbe_insert_vlan_in_pkt() is called with the wrb_params argument being NULL\nat be_send_pkt_to_bmc() call site.\u00a0 This may lead to dereferencing a NULL\npointer when processing a workaround for specific packet, as commit\nbc0c3405abbb (\"be2net: fix a Tx stall bug caused by a specific ipv6\npacket\") states.\n\nThe correct way would be to pass the wrb_params from be_xmit()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:39:07.176Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe"
},
{
"url": "https://git.kernel.org/stable/c/f499dfa5c98e92e72dd454eb95a1000a448f3405"
},
{
"url": "https://git.kernel.org/stable/c/630360c6724e27f1aa494ba3fffe1e38c4205284"
},
{
"url": "https://git.kernel.org/stable/c/012ee5882b1830db469194466a210768ed207388"
},
{
"url": "https://git.kernel.org/stable/c/ce0a3699244aca3acb659f143c9cb1327b210f89"
},
{
"url": "https://git.kernel.org/stable/c/1ecd86ec6efddb59a10c927e8e679f183bb9113e"
},
{
"url": "https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d"
},
{
"url": "https://git.kernel.org/stable/c/7d277a7a58578dd62fd546ddaef459ec24ccae36"
}
],
"title": "be2net: pass wrb_params in case of OS2BMC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40264",
"datePublished": "2025-12-04T16:08:24.028Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-06T21:39:07.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40124 (GCVE-0-2025-40124)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios
enabled resulted from copy_from_user() returning impossibly large values
greater than the size to be copied. This lead to __copy_from_iter()
returning impossible values instead of the actual number of bytes it was
able to copy.
The BUG_ON has been reported in
https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. The exception handlers expect that
%o2 has already been masked during the bulk copy loop, but the masking was
performed after that loop. This will fix the return value of copy_from_user
and copy_to_user in the faulting case. The behaviour of memcpy stays
unchanged.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ee841d0aff649164080e445e84885015958d8ff4 Version: ee841d0aff649164080e445e84885015958d8ff4 Version: ee841d0aff649164080e445e84885015958d8ff4 Version: ee841d0aff649164080e445e84885015958d8ff4 Version: ee841d0aff649164080e445e84885015958d8ff4 Version: ee841d0aff649164080e445e84885015958d8ff4 Version: ee841d0aff649164080e445e84885015958d8ff4 Version: ee841d0aff649164080e445e84885015958d8ff4 Version: 1c7e17b1c4d60cc5aa575460f7efb73686dd3b39 Version: ac663c54f40b2830b1ca32d1ae9d683fe248b14c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/U3memcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fdd43fe6d286f27b826572457a89c926f97e2d3a",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "1198077606aeffb102587c6ea079ce99641c99d4",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "1857cdca12c4aff58bf26a7005a4d02850c29927",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "91eda032eb16e5d2be27c95584665bc555bb5a90",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "dc766c4830a7e1e1ee9d7f77d4ab344f2eb23c8e",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "5ef9c94d7110e90260c06868cf1dcf899b9f25ee",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "e50377c6b3f278c9f3ef017ffce17f5fcc9dace4",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"lessThan": "47b49c06eb62504075f0f2e2227aee2e2c2a58b3",
"status": "affected",
"version": "ee841d0aff649164080e445e84885015958d8ff4",
"versionType": "git"
},
{
"status": "affected",
"version": "1c7e17b1c4d60cc5aa575460f7efb73686dd3b39",
"versionType": "git"
},
{
"status": "affected",
"version": "ac663c54f40b2830b1ca32d1ae9d683fe248b14c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/sparc/lib/U3memcpy.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III\n\nAnthony Yznaga tracked down that a BUG_ON in ext4 code with large folios\nenabled resulted from copy_from_user() returning impossibly large values\ngreater than the size to be copied. This lead to __copy_from_iter()\nreturning impossible values instead of the actual number of bytes it was\nable to copy.\n\nThe BUG_ON has been reported in\nhttps://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. The exception handlers expect that\n%o2 has already been masked during the bulk copy loop, but the masking was\nperformed after that loop. This will fix the return value of copy_from_user\nand copy_to_user in the faulting case. The behaviour of memcpy stays\nunchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:29.671Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fdd43fe6d286f27b826572457a89c926f97e2d3a"
},
{
"url": "https://git.kernel.org/stable/c/1198077606aeffb102587c6ea079ce99641c99d4"
},
{
"url": "https://git.kernel.org/stable/c/1857cdca12c4aff58bf26a7005a4d02850c29927"
},
{
"url": "https://git.kernel.org/stable/c/91eda032eb16e5d2be27c95584665bc555bb5a90"
},
{
"url": "https://git.kernel.org/stable/c/dc766c4830a7e1e1ee9d7f77d4ab344f2eb23c8e"
},
{
"url": "https://git.kernel.org/stable/c/5ef9c94d7110e90260c06868cf1dcf899b9f25ee"
},
{
"url": "https://git.kernel.org/stable/c/e50377c6b3f278c9f3ef017ffce17f5fcc9dace4"
},
{
"url": "https://git.kernel.org/stable/c/47b49c06eb62504075f0f2e2227aee2e2c2a58b3"
}
],
"title": "sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40124",
"datePublished": "2025-11-12T10:23:19.861Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:29.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68780 (GCVE-0-2025-68780)
Vulnerability from cvelistv5
Published
2026-01-13 15:28
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/deadline: only set free_cpus for online runqueues
Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus
to reflect rd->online") introduced the cpudl_set/clear_freecpu
functions to allow the cpu_dl::free_cpus mask to be manipulated
by the deadline scheduler class rq_on/offline callbacks so the
mask would also reflect this state.
Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask
from cpudl_find()") removed the check of the cpu_active_mask to
save some processing on the premise that the cpudl::free_cpus
mask already reflected the runqueue online state.
Unfortunately, there are cases where it is possible for the
cpudl_clear function to set the free_cpus bit for a CPU when the
deadline runqueue is offline. When this occurs while a CPU is
connected to the default root domain the flag may retain the bad
state after the CPU has been unplugged. Later, a different CPU
that is transitioning through the default root domain may push a
deadline task to the powered down CPU when cpudl_find sees its
free_cpus bit is set. If this happens the task will not have the
opportunity to run.
One example is outlined here:
https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com
Another occurs when the last deadline task is migrated from a
CPU that has an offlined runqueue. The dequeue_task member of
the deadline scheduler class will eventually call cpudl_clear
and set the free_cpus bit for the CPU.
This commit modifies the cpudl_clear function to be aware of the
online state of the deadline runqueue so that the free_cpus mask
can be updated appropriately.
It is no longer necessary to manage the mask outside of the
cpudl_set/clear functions so the cpudl_set/clear_freecpu
functions are removed. In addition, since the free_cpus mask is
now only updated under the cpudl lock the code was changed to
use the non-atomic __cpumask functions.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9659e1eeee28f7025b6545934d644d19e9c6e603 Version: 9659e1eeee28f7025b6545934d644d19e9c6e603 Version: 9659e1eeee28f7025b6545934d644d19e9c6e603 Version: 9659e1eeee28f7025b6545934d644d19e9c6e603 Version: 9659e1eeee28f7025b6545934d644d19e9c6e603 Version: 9659e1eeee28f7025b6545934d644d19e9c6e603 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/cpudeadline.c",
"kernel/sched/cpudeadline.h",
"kernel/sched/deadline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9019e399684e3cc68c4a3f050e268f74d69c1317",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "fb36846cbcc936954f2ad2bffdff13d16c0be08a",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "91e448e69aca4bb0ba2e998eb3e555644db7322b",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "dbc61834b0412435df21c71410562d933e4eba49",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "382748c05e58a9f1935f5a653c352422375566ea",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/cpudeadline.c",
"kernel/sched/cpudeadline.h",
"kernel/sched/deadline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: only set free_cpus for online runqueues\n\nCommit 16b269436b72 (\"sched/deadline: Modify cpudl::free_cpus\nto reflect rd-\u003eonline\") introduced the cpudl_set/clear_freecpu\nfunctions to allow the cpu_dl::free_cpus mask to be manipulated\nby the deadline scheduler class rq_on/offline callbacks so the\nmask would also reflect this state.\n\nCommit 9659e1eeee28 (\"sched/deadline: Remove cpu_active_mask\nfrom cpudl_find()\") removed the check of the cpu_active_mask to\nsave some processing on the premise that the cpudl::free_cpus\nmask already reflected the runqueue online state.\n\nUnfortunately, there are cases where it is possible for the\ncpudl_clear function to set the free_cpus bit for a CPU when the\ndeadline runqueue is offline. When this occurs while a CPU is\nconnected to the default root domain the flag may retain the bad\nstate after the CPU has been unplugged. Later, a different CPU\nthat is transitioning through the default root domain may push a\ndeadline task to the powered down CPU when cpudl_find sees its\nfree_cpus bit is set. If this happens the task will not have the\nopportunity to run.\n\nOne example is outlined here:\nhttps://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com\n\nAnother occurs when the last deadline task is migrated from a\nCPU that has an offlined runqueue. The dequeue_task member of\nthe deadline scheduler class will eventually call cpudl_clear\nand set the free_cpus bit for the CPU.\n\nThis commit modifies the cpudl_clear function to be aware of the\nonline state of the deadline runqueue so that the free_cpus mask\ncan be updated appropriately.\n\nIt is no longer necessary to manage the mask outside of the\ncpudl_set/clear functions so the cpudl_set/clear_freecpu\nfunctions are removed. In addition, since the free_cpus mask is\nnow only updated under the cpudl lock the code was changed to\nuse the non-atomic __cpumask functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:26.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317"
},
{
"url": "https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a"
},
{
"url": "https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b"
},
{
"url": "https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49"
},
{
"url": "https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8"
},
{
"url": "https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea"
}
],
"title": "sched/deadline: only set free_cpus for online runqueues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68780",
"datePublished": "2026-01-13T15:28:55.483Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-02-09T08:33:26.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71081 (GCVE-0-2025-71081)
Vulnerability from cvelistv5
Published
2026-01-13 15:34
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: stm32: sai: fix OF node leak on probe
The reference taken to the sync provider OF node when probing the
platform device is currently only dropped if the set_sync() callback
fails during DAI probe.
Make sure to drop the reference on platform probe failures (e.g. probe
deferral) and on driver unbind.
This also avoids a potential use-after-free in case the DAI is ever
reprobed without first rebinding the platform driver.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5914d285f6b782892a91d6621723fdc41a775b15 Version: 5914d285f6b782892a91d6621723fdc41a775b15 Version: 5914d285f6b782892a91d6621723fdc41a775b15 Version: 5914d285f6b782892a91d6621723fdc41a775b15 Version: 5914d285f6b782892a91d6621723fdc41a775b15 Version: 5914d285f6b782892a91d6621723fdc41a775b15 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/stm/stm32_sai.c",
"sound/soc/stm/stm32_sai_sub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7daa50a2157e41c964b745ab1dc378b5b3b626d1",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "acda653169e180b1d860dbb6bc5aceb105858394",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "4054a3597d047f3fe87864ef87f399b5d523e6c0",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "bae74771fc5d3b2a9cf6f5aa64596083d032c4a3",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "3752afcc6d80d5525e236e329895ba2cb93bcb26",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "23261f0de09427367e99f39f588e31e2856a690e",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/stm/stm32_sai.c",
"sound/soc/stm/stm32_sai_sub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: stm32: sai: fix OF node leak on probe\n\nThe reference taken to the sync provider OF node when probing the\nplatform device is currently only dropped if the set_sync() callback\nfails during DAI probe.\n\nMake sure to drop the reference on platform probe failures (e.g. probe\ndeferral) and on driver unbind.\n\nThis also avoids a potential use-after-free in case the DAI is ever\nreprobed without first rebinding the platform driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:32.444Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1"
},
{
"url": "https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394"
},
{
"url": "https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0"
},
{
"url": "https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3"
},
{
"url": "https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26"
},
{
"url": "https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e"
}
],
"title": "ASoC: stm32: sai: fix OF node leak on probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71081",
"datePublished": "2026-01-13T15:34:45.503Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-02-09T08:34:32.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39945 (GCVE-0-2025-39945)
Vulnerability from cvelistv5
Published
2025-10-04 07:31
Modified
2025-10-04 07:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cnic: Fix use-after-free bugs in cnic_delete_task
The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),
which does not guarantee that the delayed work item 'delete_task' has
fully completed if it was already running. Additionally, the delayed work
item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only
blocks and waits for work items that were already queued to the
workqueue prior to its invocation. Any work items submitted after
flush_workqueue() is called are not included in the set of tasks that the
flush operation awaits. This means that after the cyclic work items have
finished executing, a delayed work item may still exist in the workqueue.
This leads to use-after-free scenarios where the cnic_dev is deallocated
by cnic_free_dev(), while delete_task remains active and attempt to
dereference cnic_dev in cnic_delete_task().
A typical race condition is illustrated below:
CPU 0 (cleanup) | CPU 1 (delayed work callback)
cnic_netdev_event() |
cnic_stop_hw() | cnic_delete_task()
cnic_cm_stop_bnx2x_hw() | ...
cancel_delayed_work() | /* the queue_delayed_work()
flush_workqueue() | executes after flush_workqueue()*/
| queue_delayed_work()
cnic_free_dev(dev)//free | cnic_delete_task() //new instance
| dev = cp->dev; //use
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the cyclic delayed work item is properly canceled and that any
ongoing execution of the work item completes before the cnic_dev is
deallocated. Furthermore, since cancel_delayed_work_sync() uses
__flush_work(work, true) to synchronously wait for any currently
executing instance of the work item to finish, the flush_workqueue()
becomes redundant and should be removed.
This bug was identified through static analysis. To reproduce the issue
and validate the fix, I simulated the cnic PCI device in QEMU and
introduced intentional delays — such as inserting calls to ssleep()
within the cnic_delete_task() function — to increase the likelihood
of triggering the bug.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 Version: fdf24086f4752aee5dfb40143c736250df017820 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/cnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fde6e73189f40ebcf0633aed2b68e731c25f3aa3",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "7b6a5b0a6b392263c3767fc945b311ea04b34bbd",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "0405055930264ea8fd26f4131466fa7652e5e47d",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "e1fcd4a9c09feac0902a65615e866dbf22616125",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "8eeb2091e72d75df8ceaa2172638d61b4cf8929a",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "6e33a7eed587062ca8161ad1f4584882a860d697",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "0627e1481676669cae2df0d85b5ff13e7d24c390",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
},
{
"lessThan": "cfa7d9b1e3a8604afc84e9e51d789c29574fb216",
"status": "affected",
"version": "fdf24086f4752aee5dfb40143c736250df017820",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/cnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncnic: Fix use-after-free bugs in cnic_delete_task\n\nThe original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),\nwhich does not guarantee that the delayed work item \u0027delete_task\u0027 has\nfully completed if it was already running. Additionally, the delayed work\nitem is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only\nblocks and waits for work items that were already queued to the\nworkqueue prior to its invocation. Any work items submitted after\nflush_workqueue() is called are not included in the set of tasks that the\nflush operation awaits. This means that after the cyclic work items have\nfinished executing, a delayed work item may still exist in the workqueue.\nThis leads to use-after-free scenarios where the cnic_dev is deallocated\nby cnic_free_dev(), while delete_task remains active and attempt to\ndereference cnic_dev in cnic_delete_task().\n\nA typical race condition is illustrated below:\n\nCPU 0 (cleanup) | CPU 1 (delayed work callback)\ncnic_netdev_event() |\n cnic_stop_hw() | cnic_delete_task()\n cnic_cm_stop_bnx2x_hw() | ...\n cancel_delayed_work() | /* the queue_delayed_work()\n flush_workqueue() | executes after flush_workqueue()*/\n | queue_delayed_work()\n cnic_free_dev(dev)//free | cnic_delete_task() //new instance\n | dev = cp-\u003edev; //use\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the cyclic delayed work item is properly canceled and that any\nongoing execution of the work item completes before the cnic_dev is\ndeallocated. Furthermore, since cancel_delayed_work_sync() uses\n__flush_work(work, true) to synchronously wait for any currently\nexecuting instance of the work item to finish, the flush_workqueue()\nbecomes redundant and should be removed.\n\nThis bug was identified through static analysis. To reproduce the issue\nand validate the fix, I simulated the cnic PCI device in QEMU and\nintroduced intentional delays \u2014 such as inserting calls to ssleep()\nwithin the cnic_delete_task() function \u2014 to increase the likelihood\nof triggering the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T07:37:04.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fde6e73189f40ebcf0633aed2b68e731c25f3aa3"
},
{
"url": "https://git.kernel.org/stable/c/7b6a5b0a6b392263c3767fc945b311ea04b34bbd"
},
{
"url": "https://git.kernel.org/stable/c/0405055930264ea8fd26f4131466fa7652e5e47d"
},
{
"url": "https://git.kernel.org/stable/c/e1fcd4a9c09feac0902a65615e866dbf22616125"
},
{
"url": "https://git.kernel.org/stable/c/8eeb2091e72d75df8ceaa2172638d61b4cf8929a"
},
{
"url": "https://git.kernel.org/stable/c/6e33a7eed587062ca8161ad1f4584882a860d697"
},
{
"url": "https://git.kernel.org/stable/c/0627e1481676669cae2df0d85b5ff13e7d24c390"
},
{
"url": "https://git.kernel.org/stable/c/cfa7d9b1e3a8604afc84e9e51d789c29574fb216"
}
],
"title": "cnic: Fix use-after-free bugs in cnic_delete_task",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39945",
"datePublished": "2025-10-04T07:31:07.109Z",
"dateReserved": "2025-04-16T07:20:57.148Z",
"dateUpdated": "2025-10-04T07:37:04.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40280 (GCVE-0-2025-40280)
Vulnerability from cvelistv5
Published
2025-12-06 21:51
Modified
2025-12-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: Fix use-after-free in tipc_mon_reinit_self().
syzbot reported use-after-free of tipc_net(net)->monitors[]
in tipc_mon_reinit_self(). [0]
The array is protected by RTNL, but tipc_mon_reinit_self()
iterates over it without RTNL.
tipc_mon_reinit_self() is called from tipc_net_finalize(),
which is always under RTNL except for tipc_net_finalize_work().
Let's hold RTNL in tipc_net_finalize_work().
[0]:
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989
CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: events tipc_net_finalize_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]
rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]
rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244
rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243
write_lock_bh include/linux/rwlock_rt.h:99 [inline]
tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718
tipc_net_finalize+0x115/0x190 net/tipc/net.c:140
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6089:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657
tipc_enable_bearer net/tipc/bearer.c:357 [inline]
__tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047
__tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]
tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393
tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]
tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321
genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:729
____sys_sendmsg+0x508/0x820 net/socket.c:2614
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
__sys_sendmsg net/socket.c:2700 [inline]
__do_sys_sendmsg net/socket.c:2705 [inline]
__se_sys_sendmsg net/socket.c:2703 [inline]
__x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 28845c28f842e9e55e75b2c116bff714bb039055 Version: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Version: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Version: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Version: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Version: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Version: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Version: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Version: 295c9b554f6dfcd2d368fae6e6fa22ee5b79c123 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f541300b02ef8b2af34f6f7d41ce617f3571e88",
"status": "affected",
"version": "28845c28f842e9e55e75b2c116bff714bb039055",
"versionType": "git"
},
{
"lessThan": "b2e77c789c234e7fe49057d2ced8f32e2d2c7901",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "51b8f0ab888f8aa5dfac954918864eeda8c12c19",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "499b5fa78d525c4450ebb76db83207db71efea77",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "c92dbf85627b5c29e52d9c120a24e785801716df",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "f0104977fed25ebe001fd63dab2b6b7fefad3373",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "fdf7c4c9af4f246323ce854e84b6aec198d49f7e",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "0725e6afb55128be21a2ca36e9674f573ccec173",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"status": "affected",
"version": "295c9b554f6dfcd2d368fae6e6fa22ee5b79c123",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.99",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_mon_reinit_self().\n\nsyzbot reported use-after-free of tipc_net(net)-\u003emonitors[]\nin tipc_mon_reinit_self(). [0]\n\nThe array is protected by RTNL, but tipc_mon_reinit_self()\niterates over it without RTNL.\n\ntipc_mon_reinit_self() is called from tipc_net_finalize(),\nwhich is always under RTNL except for tipc_net_finalize_work().\n\nLet\u0027s hold RTNL in tipc_net_finalize_work().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\nRead of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989\n\nCPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568\n kasan_check_byte include/linux/kasan.h:399 [inline]\n lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\n rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]\n rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]\n rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244\n rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243\n write_lock_bh include/linux/rwlock_rt.h:99 [inline]\n tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718\n tipc_net_finalize+0x115/0x190 net/tipc/net.c:140\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 6089:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657\n tipc_enable_bearer net/tipc/bearer.c:357 [inline]\n __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047\n __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]\n tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393\n tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]\n tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321\n genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:729\n ____sys_sendmsg+0x508/0x820 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:04.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88"
},
{
"url": "https://git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901"
},
{
"url": "https://git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19"
},
{
"url": "https://git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77"
},
{
"url": "https://git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df"
},
{
"url": "https://git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373"
},
{
"url": "https://git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e"
},
{
"url": "https://git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173"
}
],
"title": "tipc: Fix use-after-free in tipc_mon_reinit_self().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40280",
"datePublished": "2025-12-06T21:51:04.091Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:04.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40272 (GCVE-0-2025-40272)
Vulnerability from cvelistv5
Published
2025-12-06 21:50
Modified
2025-12-06 21:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/secretmem: fix use-after-free race in fault handler
When a page fault occurs in a secret memory file created with
`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the
underlying page as not-present in the direct map, and add it to the file
mapping.
If two tasks cause a fault in the same page concurrently, both could end
up allocating a folio and removing the page from the direct map, but only
one would succeed in adding the folio to the file mapping. The task that
failed undoes the effects of its attempt by (a) freeing the folio again
and (b) putting the page back into the direct map. However, by doing
these two operations in this order, the page becomes available to the
allocator again before it is placed back in the direct mapping.
If another task attempts to allocate the page between (a) and (b), and the
kernel tries to access it via the direct map, it would result in a
supervisor not-present page fault.
Fix the ordering to restore the direct map before the folio is freed.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 Version: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 Version: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 Version: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 Version: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 Version: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/secretmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb1c19636aedae39360e6fdbcaef4f2bcff25785",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "1e4643d6628edf9c0047b1f8f5bc574665025acb",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "42d486d35a4143cc37fc72ee66edc99d942dd367",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "4444767e625da46009fc94a453fd1967b80ba047",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "6f86d0534fddfbd08687fa0f01479d4226bc3c3d",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/secretmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix use-after-free race in fault handler\n\nWhen a page fault occurs in a secret memory file created with\n`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the\nunderlying page as not-present in the direct map, and add it to the file\nmapping.\n\nIf two tasks cause a fault in the same page concurrently, both could end\nup allocating a folio and removing the page from the direct map, but only\none would succeed in adding the folio to the file mapping. The task that\nfailed undoes the effects of its attempt by (a) freeing the folio again\nand (b) putting the page back into the direct map. However, by doing\nthese two operations in this order, the page becomes available to the\nallocator again before it is placed back in the direct mapping.\n\nIf another task attempts to allocate the page between (a) and (b), and the\nkernel tries to access it via the direct map, it would result in a\nsupervisor not-present page fault.\n\nFix the ordering to restore the direct map before the folio is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:54.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785"
},
{
"url": "https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb"
},
{
"url": "https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367"
},
{
"url": "https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649"
},
{
"url": "https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047"
},
{
"url": "https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d"
}
],
"title": "mm/secretmem: fix use-after-free race in fault handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40272",
"datePublished": "2025-12-06T21:50:54.629Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-06T21:50:54.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71064 (GCVE-0-2025-71064)
Vulnerability from cvelistv5
Published
2026-01-13 15:31
Modified
2026-02-09 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: using the num_tqps in the vf driver to apply for resources
Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
than hdev->num_tqps, which causes some hdev->htqp[i] to remain
uninitialized in hclgevf_knic_setup().
Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
and that all elements are properly initialized.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e2cb1dec9779ba2d89302a653eb0abaeb8682196 Version: e2cb1dec9779ba2d89302a653eb0abaeb8682196 Version: e2cb1dec9779ba2d89302a653eb0abaeb8682196 Version: e2cb1dec9779ba2d89302a653eb0abaeb8682196 Version: e2cb1dec9779ba2d89302a653eb0abaeb8682196 Version: e2cb1dec9779ba2d89302a653eb0abaeb8682196 Version: e2cb1dec9779ba2d89302a653eb0abaeb8682196 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c149decd8c18ae6acdd7a6041d74507835cf26e6",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "bcefdb288eedac96fd2f583298927e9c6c481489",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "6cd8a2930df850f4600fe8c57d0662b376520281",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "1956d47a03eb625951e9e070db39fe2590e27510",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "429f946a7af3fbf08761d218746cd4afa80a7954",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "62f28d79a6186a602a9d926a2dbb5b12b6867df7",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "c2a16269742e176fccdd0ef9c016a233491a49ad",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: using the num_tqps in the vf driver to apply for resources\n\nCurrently, hdev-\u003ehtqp is allocated using hdev-\u003enum_tqps, and kinfo-\u003etqp\nis allocated using kinfo-\u003enum_tqps. However, kinfo-\u003enum_tqps is set to\nmin(new_tqps, hdev-\u003enum_tqps); Therefore, kinfo-\u003enum_tqps may be smaller\nthan hdev-\u003enum_tqps, which causes some hdev-\u003ehtqp[i] to remain\nuninitialized in hclgevf_knic_setup().\n\nThus, this patch allocates hdev-\u003ehtqp and kinfo-\u003etqp using hdev-\u003enum_tqps,\nensuring that the lengths of hdev-\u003ehtqp and kinfo-\u003etqp are consistent\nand that all elements are properly initialized."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:14.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6"
},
{
"url": "https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489"
},
{
"url": "https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281"
},
{
"url": "https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510"
},
{
"url": "https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954"
},
{
"url": "https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7"
},
{
"url": "https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad"
}
],
"title": "net: hns3: using the num_tqps in the vf driver to apply for resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71064",
"datePublished": "2026-01-13T15:31:20.503Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-02-09T08:34:14.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68791 (GCVE-0-2025-68791)
Vulnerability from cvelistv5
Published
2026-01-13 15:29
Modified
2026-02-09 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: missing copy_finish in fuse-over-io-uring argument copies
Fix a possible reference count leak of payload pages during
fuse argument copies.
[Joanne: simplified error cleanup]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev.c",
"fs/fuse/dev_uring.c",
"fs/fuse/fuse_dev_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b79938863f436960eff209130f025c4bd3026bf8",
"status": "affected",
"version": "c090c8abae4b6b77a1bee116aa6c385456ebef96",
"versionType": "git"
},
{
"lessThan": "6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd",
"status": "affected",
"version": "c090c8abae4b6b77a1bee116aa6c385456ebef96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev.c",
"fs/fuse/dev_uring.c",
"fs/fuse/fuse_dev_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: missing copy_finish in fuse-over-io-uring argument copies\n\nFix a possible reference count leak of payload pages during\nfuse argument copies.\n\n[Joanne: simplified error cleanup]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:38.278Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b79938863f436960eff209130f025c4bd3026bf8"
},
{
"url": "https://git.kernel.org/stable/c/6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd"
}
],
"title": "fuse: missing copy_finish in fuse-over-io-uring argument copies",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68791",
"datePublished": "2026-01-13T15:29:03.553Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-02-09T08:33:38.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68258 (GCVE-0-2025-68258)
Vulnerability from cvelistv5
Published
2025-12-16 14:45
Modified
2026-02-09 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: multiq3: sanitize config options in multiq3_attach()
Syzbot identified an issue [1] in multiq3_attach() that induces a
task timeout due to open() or COMEDI_DEVCONFIG ioctl operations,
specifically, in the case of multiq3 driver.
This problem arose when syzkaller managed to craft weird configuration
options used to specify the number of channels in encoder subdevice.
If a particularly great number is passed to s->n_chan in
multiq3_attach() via it->options[2], then multiple calls to
multiq3_encoder_reset() at the end of driver-specific attach() method
will be running for minutes, thus blocking tasks and affected devices
as well.
While this issue is most likely not too dangerous for real-life
devices, it still makes sense to sanitize configuration inputs. Enable
a sensible limit on the number of encoder chips (4 chips max, each
with 2 channels) to stop this behaviour from manifesting.
[1] Syzbot crash:
INFO: task syz.2.19:6067 blocked for more than 143 seconds.
...
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5254 [inline]
__schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
__schedule_loop kernel/sched/core.c:6944 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6959
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760
comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x953/0x13f0 fs/open.c:965
vfs_open+0x3b/0x340 fs/open.c:1097
...
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 77e01cdbad5175f56027fd6fae00bd0fc175651a Version: 77e01cdbad5175f56027fd6fae00bd0fc175651a Version: 77e01cdbad5175f56027fd6fae00bd0fc175651a Version: 77e01cdbad5175f56027fd6fae00bd0fc175651a Version: 77e01cdbad5175f56027fd6fae00bd0fc175651a Version: 77e01cdbad5175f56027fd6fae00bd0fc175651a Version: 77e01cdbad5175f56027fd6fae00bd0fc175651a Version: 77e01cdbad5175f56027fd6fae00bd0fc175651a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/multiq3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9ff87aac7b37d462246c46d28912d382a8e2ea6",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "4cde9a7e025cc09b88097c70606f6b30c22880f4",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "ad7ed3c9c7b8408e8612697bc43a5441fe386c71",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "049f14557450351750f929ebfff36d849511e132",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "8952bc1973cd54158c35e06bfb8c29ace7375a48",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "543f4c380c2e1f35e60528df7cb54705cda7fee3",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "f24c6e3a39fa355dabfb684c9ca82db579534e72",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/multiq3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: multiq3: sanitize config options in multiq3_attach()\n\nSyzbot identified an issue [1] in multiq3_attach() that induces a\ntask timeout due to open() or COMEDI_DEVCONFIG ioctl operations,\nspecifically, in the case of multiq3 driver.\n\nThis problem arose when syzkaller managed to craft weird configuration\noptions used to specify the number of channels in encoder subdevice.\nIf a particularly great number is passed to s-\u003en_chan in\nmultiq3_attach() via it-\u003eoptions[2], then multiple calls to\nmultiq3_encoder_reset() at the end of driver-specific attach() method\nwill be running for minutes, thus blocking tasks and affected devices\nas well.\n\nWhile this issue is most likely not too dangerous for real-life\ndevices, it still makes sense to sanitize configuration inputs. Enable\na sensible limit on the number of encoder chips (4 chips max, each\nwith 2 channels) to stop this behaviour from manifesting.\n\n[1] Syzbot crash:\nINFO: task syz.2.19:6067 blocked for more than 143 seconds.\n...\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5254 [inline]\n __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862\n __schedule_loop kernel/sched/core.c:6944 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:6959\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016\n __mutex_lock_common kernel/locking/mutex.c:676 [inline]\n __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760\n comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868\n chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414\n do_dentry_open+0x953/0x13f0 fs/open.c:965\n vfs_open+0x3b/0x340 fs/open.c:1097\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:31:11.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9ff87aac7b37d462246c46d28912d382a8e2ea6"
},
{
"url": "https://git.kernel.org/stable/c/4cde9a7e025cc09b88097c70606f6b30c22880f4"
},
{
"url": "https://git.kernel.org/stable/c/ad7ed3c9c7b8408e8612697bc43a5441fe386c71"
},
{
"url": "https://git.kernel.org/stable/c/049f14557450351750f929ebfff36d849511e132"
},
{
"url": "https://git.kernel.org/stable/c/8952bc1973cd54158c35e06bfb8c29ace7375a48"
},
{
"url": "https://git.kernel.org/stable/c/8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3"
},
{
"url": "https://git.kernel.org/stable/c/543f4c380c2e1f35e60528df7cb54705cda7fee3"
},
{
"url": "https://git.kernel.org/stable/c/f24c6e3a39fa355dabfb684c9ca82db579534e72"
}
],
"title": "comedi: multiq3: sanitize config options in multiq3_attach()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68258",
"datePublished": "2025-12-16T14:45:00.920Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-02-09T08:31:11.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40118 (GCVE-0-2025-40118)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-12-01 06:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when
device is gone") UBSAN reports:
UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17
index 28 is out of range for type 'pm8001_phy [16]'
on rmmod when using an expander.
For a direct attached device, attached_phy contains the local phy id.
For a device behind an expander, attached_phy contains the remote phy
id, not the local phy id.
I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a
device behind an expander, attached_phy can be much larger than
pm8001_ha->chip->n_phy (depending on the amount of phys of the
expander).
E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the
ports has an expander connected. The expander has 31 phys with phy ids
0-30.
The pm8001_ha->phy array only contains the phys of the HBA. It does not
contain the phys of the expander. Thus, it is wrong to use attached_phy
to index the pm8001_ha->phy array for a device behind an expander.
Thus, we can only clear phy_attached for devices that are directly
attached.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 05b512879eab41faa515b67fa3896d0005e97909 Version: bc2140c8136200b4437e1abc0fb659968cb9baab Version: 1d8f9378cb4800c18e20d80ecd605b2b93e87a03 Version: 30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a Version: a862d24e1fc3ab1b5e5f20878d2898cea346d0ec Version: 0f9802f174227f553959422f844eeb9ba72467fe Version: f7b705c238d1483f0a766e2b20010f176e5c0fb7 Version: f7b705c238d1483f0a766e2b20010f176e5c0fb7 Version: 722026c010fa75bcf9e2373aff1d7930a3d7e3cf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d94be0a6ae9ade706d4270e740bdb4f79953a7fc",
"status": "affected",
"version": "05b512879eab41faa515b67fa3896d0005e97909",
"versionType": "git"
},
{
"lessThan": "45acbf154befedd9bc135f5e031fe7855d1e6493",
"status": "affected",
"version": "bc2140c8136200b4437e1abc0fb659968cb9baab",
"versionType": "git"
},
{
"lessThan": "eef5ef400893f8e3dbb09342583be0cdc716d566",
"status": "affected",
"version": "1d8f9378cb4800c18e20d80ecd605b2b93e87a03",
"versionType": "git"
},
{
"lessThan": "9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582",
"status": "affected",
"version": "30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a",
"versionType": "git"
},
{
"lessThan": "e62251954a128a2d0fcbc19e5fa39e08935bb628",
"status": "affected",
"version": "a862d24e1fc3ab1b5e5f20878d2898cea346d0ec",
"versionType": "git"
},
{
"lessThan": "9326a1541e1b7ed3efdbab72061b82cf01c6477a",
"status": "affected",
"version": "0f9802f174227f553959422f844eeb9ba72467fe",
"versionType": "git"
},
{
"lessThan": "83ced3c206c292458e47c7fac54223abc7141585",
"status": "affected",
"version": "f7b705c238d1483f0a766e2b20010f176e5c0fb7",
"versionType": "git"
},
{
"lessThan": "251be2f6037fb7ab399f68cd7428ff274133d693",
"status": "affected",
"version": "f7b705c238d1483f0a766e2b20010f176e5c0fb7",
"versionType": "git"
},
{
"status": "affected",
"version": "722026c010fa75bcf9e2373aff1d7930a3d7e3cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.136",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.12.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod\n\nSince commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when\ndevice is gone\") UBSAN reports:\n\n UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17\n index 28 is out of range for type \u0027pm8001_phy [16]\u0027\n\non rmmod when using an expander.\n\nFor a direct attached device, attached_phy contains the local phy id.\nFor a device behind an expander, attached_phy contains the remote phy\nid, not the local phy id.\n\nI.e. while pm8001_ha will have pm8001_ha-\u003echip-\u003en_phy local phys, for a\ndevice behind an expander, attached_phy can be much larger than\npm8001_ha-\u003echip-\u003en_phy (depending on the amount of phys of the\nexpander).\n\nE.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the\nports has an expander connected. The expander has 31 phys with phy ids\n0-30.\n\nThe pm8001_ha-\u003ephy array only contains the phys of the HBA. It does not\ncontain the phys of the expander. Thus, it is wrong to use attached_phy\nto index the pm8001_ha-\u003ephy array for a device behind an expander.\n\nThus, we can only clear phy_attached for devices that are directly\nattached."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:22.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d94be0a6ae9ade706d4270e740bdb4f79953a7fc"
},
{
"url": "https://git.kernel.org/stable/c/45acbf154befedd9bc135f5e031fe7855d1e6493"
},
{
"url": "https://git.kernel.org/stable/c/eef5ef400893f8e3dbb09342583be0cdc716d566"
},
{
"url": "https://git.kernel.org/stable/c/9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582"
},
{
"url": "https://git.kernel.org/stable/c/e62251954a128a2d0fcbc19e5fa39e08935bb628"
},
{
"url": "https://git.kernel.org/stable/c/9326a1541e1b7ed3efdbab72061b82cf01c6477a"
},
{
"url": "https://git.kernel.org/stable/c/83ced3c206c292458e47c7fac54223abc7141585"
},
{
"url": "https://git.kernel.org/stable/c/251be2f6037fb7ab399f68cd7428ff274133d693"
}
],
"title": "scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40118",
"datePublished": "2025-11-12T10:23:18.179Z",
"dateReserved": "2025-04-16T07:20:57.168Z",
"dateUpdated": "2025-12-01T06:18:22.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…