Search criteria
10261 vulnerabilities
CVE-2025-68766 (GCVE-0-2025-68766)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-01-05 09:44
VLAI?
Title
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
it results in an out of bounds access.
The code checks for invalid values, but doesn't set the error code. Return
-EINVAL in that case, instead of returning success.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00fa3461c86dd289b441d4d5a6bb236064bd207b , < 3873afcb57614c1aaa5b6715554d6d1c22cac95a
(git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 09efe7cfbf919c4d763bc425473fcfee0dc98356 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3873afcb57614c1aaa5b6715554d6d1c22cac95a",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "09efe7cfbf919c4d763bc425473fcfee0dc98356",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()\n\nIf irq_domain_translate_twocell() sets \"hwirq\" to \u003e= MCHP_EIC_NIRQ (2) then\nit results in an out of bounds access.\n\nThe code checks for invalid values, but doesn\u0027t set the error code. Return\n-EINVAL in that case, instead of returning success."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:44:13.935Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a"
},
{
"url": "https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356"
},
{
"url": "https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552"
},
{
"url": "https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7"
}
],
"title": "irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68766",
"datePublished": "2026-01-05T09:44:13.935Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-05T09:44:13.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68765 (GCVE-0-2025-68765)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-01-05 09:44
VLAI?
Title
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the
subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function
returns an error without freeing sskb, leading to a memory leak.
Fix this by calling dev_kfree_skb() on sskb in the error handling path
to ensure it is properly released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
99c457d902cf90bdc0df5d57e6156ec108711068 , < 278bfed4529a0c9c9119f5a52ddafe69db61a75c
(git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < fb905e69941b44e03fe1a24e95328d45442b6d6d (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49 (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 53d1548612670aa8b5d89745116cc33d9d172863 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "278bfed4529a0c9c9119f5a52ddafe69db61a75c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "fb905e69941b44e03fe1a24e95328d45442b6d6d",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "53d1548612670aa8b5d89745116cc33d9d172863",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()\n\nIn mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the\nsubsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function\nreturns an error without freeing sskb, leading to a memory leak.\n\nFix this by calling dev_kfree_skb() on sskb in the error handling path\nto ensure it is properly released."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:44:13.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c"
},
{
"url": "https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d"
},
{
"url": "https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49"
},
{
"url": "https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863"
}
],
"title": "mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68765",
"datePublished": "2026-01-05T09:44:13.242Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-05T09:44:13.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68764 (GCVE-0-2025-68764)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-01-05 09:44
VLAI?
Title
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
When a filesystem is being automounted, it needs to preserve the
user-set superblock mount options, such as the "ro" flag.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f2aedb713c284429987dc66c7aaf38decfc8da2a , < 612cc98698d667df804792f0c47d4e501e66da29
(git)
Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < 4b296944e632cf4c6a4cc8e2585c6451eae47b1b (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < df9b003a2ecacc7218486fbb31fe008c93097d5f (git) Affected: f2aedb713c284429987dc66c7aaf38decfc8da2a , < 8675c69816e4276b979ff475ee5fac4688f80125 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/namespace.c",
"fs/nfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "612cc98698d667df804792f0c47d4e501e66da29",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "4b296944e632cf4c6a4cc8e2585c6451eae47b1b",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "df9b003a2ecacc7218486fbb31fe008c93097d5f",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
},
{
"lessThan": "8675c69816e4276b979ff475ee5fac4688f80125",
"status": "affected",
"version": "f2aedb713c284429987dc66c7aaf38decfc8da2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/namespace.c",
"fs/nfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags\n\nWhen a filesystem is being automounted, it needs to preserve the\nuser-set superblock mount options, such as the \"ro\" flag."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:44:12.518Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/612cc98698d667df804792f0c47d4e501e66da29"
},
{
"url": "https://git.kernel.org/stable/c/4b296944e632cf4c6a4cc8e2585c6451eae47b1b"
},
{
"url": "https://git.kernel.org/stable/c/df9b003a2ecacc7218486fbb31fe008c93097d5f"
},
{
"url": "https://git.kernel.org/stable/c/8675c69816e4276b979ff475ee5fac4688f80125"
}
],
"title": "NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68764",
"datePublished": "2026-01-05T09:44:12.518Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-05T09:44:12.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68763 (GCVE-0-2025-68763)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
crypto: starfive - Correctly handle return of sg_nents_for_len
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: starfive - Correctly handle return of sg_nents_for_len
The return value of sg_nents_for_len was assigned to an unsigned long
in starfive_hash_digest, causing negative error codes to be converted
to large positive integers.
Add error checking for sg_nents_for_len and return immediately on
failure to prevent potential buffer overflows.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 0c3854d65cc4402cb8c52d4d773450a06efecab6
(git)
Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 1af5c973dd744e29fa22121f43e8646b7a7a71a7 (git) Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < 9b3f71cf02e04cfaa482155e3078707fe7f8aef4 (git) Affected: 7883d1b28a2b0e62edcacea22de6b36a1918b15a , < e9eb52037a529fbb307c290e9951a62dd728b03d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/starfive/jh7110-hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c3854d65cc4402cb8c52d4d773450a06efecab6",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "1af5c973dd744e29fa22121f43e8646b7a7a71a7",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "9b3f71cf02e04cfaa482155e3078707fe7f8aef4",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
},
{
"lessThan": "e9eb52037a529fbb307c290e9951a62dd728b03d",
"status": "affected",
"version": "7883d1b28a2b0e62edcacea22de6b36a1918b15a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/starfive/jh7110-hash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: starfive - Correctly handle return of sg_nents_for_len\n\nThe return value of sg_nents_for_len was assigned to an unsigned long\nin starfive_hash_digest, causing negative error codes to be converted\nto large positive integers.\n\nAdd error checking for sg_nents_for_len and return immediately on\nfailure to prevent potential buffer overflows."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:35.678Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c3854d65cc4402cb8c52d4d773450a06efecab6"
},
{
"url": "https://git.kernel.org/stable/c/1af5c973dd744e29fa22121f43e8646b7a7a71a7"
},
{
"url": "https://git.kernel.org/stable/c/9b3f71cf02e04cfaa482155e3078707fe7f8aef4"
},
{
"url": "https://git.kernel.org/stable/c/e9eb52037a529fbb307c290e9951a62dd728b03d"
}
],
"title": "crypto: starfive - Correctly handle return of sg_nents_for_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68763",
"datePublished": "2026-01-05T09:32:35.678Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-05T09:32:35.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68762 (GCVE-0-2025-68762)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
net: netpoll: initialize work queue before error checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: netpoll: initialize work queue before error checks
Prevent a kernel warning when netconsole setup fails on devices with
IFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in
__flush_work) occurs because the cleanup path tries to cancel an
uninitialized work queue.
When __netpoll_setup() encounters a device with IFF_DISABLE_NETPOLL,
it fails early and calls skb_pool_flush() for cleanup. This function
calls cancel_work_sync(&np->refill_wq), but refill_wq hasn't been
initialized yet, triggering the warning.
Move INIT_WORK() to the beginning of __netpoll_setup(), ensuring the
work queue is properly initialized before any potential failure points.
This allows the cleanup path to safely cancel the work queue regardless
of where the setup fails.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
248f6571fd4c51531f7f8f07f186f7ae98a50afc , < a90d0dc38a10347078cca60e7495ad0648838f18
(git)
Affected: 248f6571fd4c51531f7f8f07f186f7ae98a50afc , < 760bc6ceda8e2c273c0e2018ad2595967c3dd308 (git) Affected: 248f6571fd4c51531f7f8f07f186f7ae98a50afc , < e5235eb6cfe02a51256013a78f7b28779a7740d5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a90d0dc38a10347078cca60e7495ad0648838f18",
"status": "affected",
"version": "248f6571fd4c51531f7f8f07f186f7ae98a50afc",
"versionType": "git"
},
{
"lessThan": "760bc6ceda8e2c273c0e2018ad2595967c3dd308",
"status": "affected",
"version": "248f6571fd4c51531f7f8f07f186f7ae98a50afc",
"versionType": "git"
},
{
"lessThan": "e5235eb6cfe02a51256013a78f7b28779a7740d5",
"status": "affected",
"version": "248f6571fd4c51531f7f8f07f186f7ae98a50afc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netpoll: initialize work queue before error checks\n\nPrevent a kernel warning when netconsole setup fails on devices with\nIFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in\n__flush_work) occurs because the cleanup path tries to cancel an\nuninitialized work queue.\n\nWhen __netpoll_setup() encounters a device with IFF_DISABLE_NETPOLL,\nit fails early and calls skb_pool_flush() for cleanup. This function\ncalls cancel_work_sync(\u0026np-\u003erefill_wq), but refill_wq hasn\u0027t been\ninitialized yet, triggering the warning.\n\nMove INIT_WORK() to the beginning of __netpoll_setup(), ensuring the\nwork queue is properly initialized before any potential failure points.\nThis allows the cleanup path to safely cancel the work queue regardless\nof where the setup fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:34.743Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a90d0dc38a10347078cca60e7495ad0648838f18"
},
{
"url": "https://git.kernel.org/stable/c/760bc6ceda8e2c273c0e2018ad2595967c3dd308"
},
{
"url": "https://git.kernel.org/stable/c/e5235eb6cfe02a51256013a78f7b28779a7740d5"
}
],
"title": "net: netpoll: initialize work queue before error checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68762",
"datePublished": "2026-01-05T09:32:34.743Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-05T09:32:34.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68761 (GCVE-0-2025-68761)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
hfs: fix potential use after free in hfs_correct_next_unused_CNID()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix potential use after free in hfs_correct_next_unused_CNID()
This code calls hfs_bnode_put(node) which drops the refcount and then
dreferences "node" on the next line. It's only safe to use "node"
when we're holding a reference so flip these two lines around.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/catalog.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40a1e0142096dd7dd6cb5373841222b528698588",
"status": "affected",
"version": "a06ec283e125e334155fe13005c76c9f484ce759",
"versionType": "git"
},
{
"lessThan": "c105e76bb17cf4b55fe89c6ad4f6a0e3972b5b08",
"status": "affected",
"version": "a06ec283e125e334155fe13005c76c9f484ce759",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/catalog.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix potential use after free in hfs_correct_next_unused_CNID()\n\nThis code calls hfs_bnode_put(node) which drops the refcount and then\ndreferences \"node\" on the next line. It\u0027s only safe to use \"node\"\nwhen we\u0027re holding a reference so flip these two lines around."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:33.814Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40a1e0142096dd7dd6cb5373841222b528698588"
},
{
"url": "https://git.kernel.org/stable/c/c105e76bb17cf4b55fe89c6ad4f6a0e3972b5b08"
}
],
"title": "hfs: fix potential use after free in hfs_correct_next_unused_CNID()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68761",
"datePublished": "2026-01-05T09:32:33.814Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-05T09:32:33.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68760 (GCVE-0-2025-68760)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show
In iommu_mmio_write(), it validates the user-provided offset with the
check: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`.
This assumes a 4-byte access. However, the corresponding
show handler, iommu_mmio_show(), uses readq() to perform an 8-byte
(64-bit) read.
If a user provides an offset equal to `mmio_phys_end - 4`, the check
passes, and will lead to a 4-byte out-of-bounds read.
Fix this by adjusting the boundary check to use sizeof(u64), which
corresponds to the size of the readq() operation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7a4ee419e8c144b747a8915856e91a034d7c8f34 , < b959df804c33913dbfdb90750f2d693502b3d126
(git)
Affected: 7a4ee419e8c144b747a8915856e91a034d7c8f34 , < 0ec4aaf5f3f559716a6559f3d6d9616e9470bed6 (git) Affected: 7a4ee419e8c144b747a8915856e91a034d7c8f34 , < a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b959df804c33913dbfdb90750f2d693502b3d126",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
},
{
"lessThan": "0ec4aaf5f3f559716a6559f3d6d9616e9470bed6",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
},
{
"lessThan": "a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7",
"status": "affected",
"version": "7a4ee419e8c144b747a8915856e91a034d7c8f34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix potential out-of-bounds read in iommu_mmio_show\n\nIn iommu_mmio_write(), it validates the user-provided offset with the\ncheck: `iommu-\u003edbg_mmio_offset \u003e iommu-\u003emmio_phys_end - 4`.\nThis assumes a 4-byte access. However, the corresponding\nshow handler, iommu_mmio_show(), uses readq() to perform an 8-byte\n(64-bit) read.\n\nIf a user provides an offset equal to `mmio_phys_end - 4`, the check\npasses, and will lead to a 4-byte out-of-bounds read.\n\nFix this by adjusting the boundary check to use sizeof(u64), which\ncorresponds to the size of the readq() operation."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:32.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b959df804c33913dbfdb90750f2d693502b3d126"
},
{
"url": "https://git.kernel.org/stable/c/0ec4aaf5f3f559716a6559f3d6d9616e9470bed6"
},
{
"url": "https://git.kernel.org/stable/c/a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7"
}
],
"title": "iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68760",
"datePublished": "2026-01-05T09:32:32.894Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:32.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68759 (GCVE-0-2025-68759)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA
allocations in a loop. When an allocation fails, the previously
successful allocations are not freed on exit.
Fix that by jumping to err_free_rings label on error, which calls
rtl8180_free_rx_ring() to free the allocations. Remove the free of
rx_ring in rtl8180_init_rx_ring() error path, and set the freed
priv->rx_buf entry to null, to avoid double free.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f653211197f3841f383fa9757ef8ce182c6cf627 , < ee7db11742b30641f21306105ad27a275e3c61d7
(git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a813a74570212cb5f3a7d3b05c0cb0cd00bace1d (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < c9d1c4152e6d32fa74034464854bee262a60bc43 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 9b5b9c042b30befc5b37e4539ace95af70843473 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee7db11742b30641f21306105ad27a275e3c61d7",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a813a74570212cb5f3a7d3b05c0cb0cd00bace1d",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "c9d1c4152e6d32fa74034464854bee262a60bc43",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "9b5b9c042b30befc5b37e4539ace95af70843473",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()\n\nIn rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA\nallocations in a loop. When an allocation fails, the previously\nsuccessful allocations are not freed on exit.\n\nFix that by jumping to err_free_rings label on error, which calls\nrtl8180_free_rx_ring() to free the allocations. Remove the free of\nrx_ring in rtl8180_init_rx_ring() error path, and set the freed\npriv-\u003erx_buf entry to null, to avoid double free."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:32.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7"
},
{
"url": "https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d"
},
{
"url": "https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43"
},
{
"url": "https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473"
}
],
"title": "wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68759",
"datePublished": "2026-01-05T09:32:32.174Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:32.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68758 (GCVE-0-2025-68758)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
backlight: led-bl: Add devlink to supplier LEDs
Summary
In the Linux kernel, the following vulnerability has been resolved:
backlight: led-bl: Add devlink to supplier LEDs
LED Backlight is a consumer of one or multiple LED class devices, but
devlink is currently unable to create correct supplier-producer links when
the supplier is a class device. It creates instead a link where the
supplier is the parent of the expected device.
One consequence is that removal order is not correctly enforced.
Issues happen for example with the following sections in a device tree
overlay:
// An LED driver chip
pca9632@62 {
compatible = "nxp,pca9632";
reg = <0x62>;
// ...
addon_led_pwm: led-pwm@3 {
reg = <3>;
label = "addon:led:pwm";
};
};
backlight-addon {
compatible = "led-backlight";
leds = <&addon_led_pwm>;
brightness-levels = <255>;
default-brightness-level = <255>;
};
In this example, the devlink should be created between the backlight-addon
(consumer) and the pca9632@62 (supplier). Instead it is created between the
backlight-addon (consumer) and the parent of the pca9632@62, which is
typically the I2C bus adapter.
On removal of the above overlay, the LED driver can be removed before the
backlight device, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
Call trace:
led_put+0xe0/0x140
devm_led_release+0x6c/0x98
Another way to reproduce the bug without any device tree overlays is
unbinding the LED class device (pca9632@62) before unbinding the consumer
(backlight-addon):
echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind
echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind
Fix by adding a devlink between the consuming led-backlight device and the
supplying LED device, as other drivers and subsystems do as well.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 0e63ea4378489e09eb5e920c8a50c10caacf563a
(git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9 (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 08c9dc6b0f2c68e5e7c374ac4499e321e435d46c (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 9341d6698f4cfdfc374fb6944158d111ebe16a9d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e63ea4378489e09eb5e920c8a50c10caacf563a",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "08c9dc6b0f2c68e5e7c374ac4499e321e435d46c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "9341d6698f4cfdfc374fb6944158d111ebe16a9d",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led-bl: Add devlink to supplier LEDs\n\nLED Backlight is a consumer of one or multiple LED class devices, but\ndevlink is currently unable to create correct supplier-producer links when\nthe supplier is a class device. It creates instead a link where the\nsupplier is the parent of the expected device.\n\nOne consequence is that removal order is not correctly enforced.\n\nIssues happen for example with the following sections in a device tree\noverlay:\n\n // An LED driver chip\n pca9632@62 {\n compatible = \"nxp,pca9632\";\n reg = \u003c0x62\u003e;\n\n\t// ...\n\n addon_led_pwm: led-pwm@3 {\n reg = \u003c3\u003e;\n label = \"addon:led:pwm\";\n };\n };\n\n backlight-addon {\n compatible = \"led-backlight\";\n leds = \u003c\u0026addon_led_pwm\u003e;\n brightness-levels = \u003c255\u003e;\n default-brightness-level = \u003c255\u003e;\n };\n\nIn this example, the devlink should be created between the backlight-addon\n(consumer) and the pca9632@62 (supplier). Instead it is created between the\nbacklight-addon (consumer) and the parent of the pca9632@62, which is\ntypically the I2C bus adapter.\n\nOn removal of the above overlay, the LED driver can be removed before the\nbacklight device, resulting in:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n ...\n Call trace:\n led_put+0xe0/0x140\n devm_led_release+0x6c/0x98\n\nAnother way to reproduce the bug without any device tree overlays is\nunbinding the LED class device (pca9632@62) before unbinding the consumer\n(backlight-addon):\n\n echo 11-0062 \u003e/sys/bus/i2c/drivers/leds-pca963x/unbind\n echo ...backlight-dock \u003e/sys/bus/platform/drivers/led-backlight/unbind\n\nFix by adding a devlink between the consuming led-backlight device and the\nsupplying LED device, as other drivers and subsystems do as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:31.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a"
},
{
"url": "https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9"
},
{
"url": "https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c"
},
{
"url": "https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d"
}
],
"title": "backlight: led-bl: Add devlink to supplier LEDs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68758",
"datePublished": "2026-01-05T09:32:31.399Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:31.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68757 (GCVE-0-2025-68757)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
drm/vgem-fence: Fix potential deadlock on release
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vgem-fence: Fix potential deadlock on release
A timer that expires a vgem fence automatically in 10 seconds is now
released with timer_delete_sync() from fence->ops.release() called on last
dma_fence_put(). In some scenarios, it can run in IRQ context, which is
not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was
demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while
working on new IGT subtests syncobj_timeline@stress-* as user space
replacements of some problematic test cases of a dma-fence-chain selftest
[1].
[117.004338] ================================
[117.004340] WARNING: inconsistent lock state
[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U
[117.004346] --------------------------------
[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:
[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190
[117.004361] {HARDIRQ-ON-W} state was registered at:
[117.004363] lock_acquire+0xc4/0x2e0
[117.004366] call_timer_fn+0x80/0x2a0
[117.004368] __run_timers+0x231/0x310
[117.004370] run_timer_softirq+0x76/0xe0
[117.004372] handle_softirqs+0xd4/0x4d0
[117.004375] __irq_exit_rcu+0x13f/0x160
[117.004377] irq_exit_rcu+0xe/0x20
[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004385] cpuidle_enter_state+0x12b/0x8a0
[117.004388] cpuidle_enter+0x2e/0x50
[117.004393] call_cpuidle+0x22/0x60
[117.004395] do_idle+0x1fd/0x260
[117.004398] cpu_startup_entry+0x29/0x30
[117.004401] start_secondary+0x12d/0x160
[117.004404] common_startup_64+0x13e/0x141
[117.004407] irq event stamp: 2282669
[117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.004426]
other info that might help us debug this:
[117.004429] Possible unsafe locking scenario:
[117.004432] CPU0
[117.004433] ----
[117.004434] lock((&fence->timer));
[117.004436] <Interrupt>
[117.004438] lock((&fence->timer));
[117.004440]
*** DEADLOCK ***
[117.004443] 1 lock held by swapper/0/0:
[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0
[117.004450]
stack backtrace:
[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004456] Call Trace:
[117.004456] <IRQ>
[117.004457] dump_stack_lvl+0x91/0xf0
[117.004460] dump_stack+0x10/0x20
[117.004461] print_usage_bug.part.0+0x260/0x360
[117.004463] mark_lock+0x76e/0x9c0
[117.004465] ? register_lock_class+0x48/0x4a0
[117.004467] __lock_acquire+0xbc3/0x2860
[117.004469] lock_acquire+0xc4/0x2e0
[117.004470] ? __timer_delete_sync+0x4b/0x190
[117.004472] ? __timer_delete_sync+0x4b/0x190
[117.004473] __timer_delete_sync+0x68/0x190
[117.004474] ? __timer_delete_sync+0x4b/0x190
[117.004475] timer_delete_sync+0x10/0x20
[117.004476] vgem_fence_release+0x19/0x30 [vgem]
[117.004478] dma_fence_release+0xc1/0x3b0
[117.004480] ? dma_fence_release+0xa1/0x3b0
[117.004481] dma_fence_chain_release+0xe7/0x130
[117.004483] dma_fence_release+0xc1/0x3b0
[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004485] dma_fence_chain_irq_work+0x59/0x80
[117.004487] irq_work_single+0x75/0xa0
[117.004490] irq_work_r
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4077798484459a2eced2050045099a466ecb618a , < 338e388c0d80ffc04963b6b0ec702ffdfd2c4eba
(git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 4f335cb8fad69b2be5accf0ebac3a8b345915f4e (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 1f0ca9d3e7c38a39f1f12377c24decf0bba46e54 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 78b4d6463e9e69e5103f98b367f8984ad12cdc6f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "338e388c0d80ffc04963b6b0ec702ffdfd2c4eba",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "4f335cb8fad69b2be5accf0ebac3a8b345915f4e",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1f0ca9d3e7c38a39f1f12377c24decf0bba46e54",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "78b4d6463e9e69e5103f98b367f8984ad12cdc6f",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence-\u003eops.release() called on last\ndma_fence_put(). In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used. One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -\u003e {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363] lock_acquire+0xc4/0x2e0\n[117.004366] call_timer_fn+0x80/0x2a0\n[117.004368] __run_timers+0x231/0x310\n[117.004370] run_timer_softirq+0x76/0xe0\n[117.004372] handle_softirqs+0xd4/0x4d0\n[117.004375] __irq_exit_rcu+0x13f/0x160\n[117.004377] irq_exit_rcu+0xe/0x20\n[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385] cpuidle_enter_state+0x12b/0x8a0\n[117.004388] cpuidle_enter+0x2e/0x50\n[117.004393] call_cpuidle+0x22/0x60\n[117.004395] do_idle+0x1fd/0x260\n[117.004398] cpu_startup_entry+0x29/0x30\n[117.004401] start_secondary+0x12d/0x160\n[117.004404] common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last enabled at (2282668): [\u003cffffffff8289db71\u003e] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [\u003cffffffff82882021\u003e] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last enabled at (2254702): [\u003cffffffff8289fd00\u003e] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [\u003cffffffff813d4ddf\u003e] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429] Possible unsafe locking scenario:\n[117.004432] CPU0\n[117.004433] ----\n[117.004434] lock((\u0026fence-\u003etimer));\n[117.004436] \u003cInterrupt\u003e\n[117.004438] lock((\u0026fence-\u003etimer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445] #0: ffffc90000003d50 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456] \u003cIRQ\u003e\n[117.004457] dump_stack_lvl+0x91/0xf0\n[117.004460] dump_stack+0x10/0x20\n[117.004461] print_usage_bug.part.0+0x260/0x360\n[117.004463] mark_lock+0x76e/0x9c0\n[117.004465] ? register_lock_class+0x48/0x4a0\n[117.004467] __lock_acquire+0xbc3/0x2860\n[117.004469] lock_acquire+0xc4/0x2e0\n[117.004470] ? __timer_delete_sync+0x4b/0x190\n[117.004472] ? __timer_delete_sync+0x4b/0x190\n[117.004473] __timer_delete_sync+0x68/0x190\n[117.004474] ? __timer_delete_sync+0x4b/0x190\n[117.004475] timer_delete_sync+0x10/0x20\n[117.004476] vgem_fence_release+0x19/0x30 [vgem]\n[117.004478] dma_fence_release+0xc1/0x3b0\n[117.004480] ? dma_fence_release+0xa1/0x3b0\n[117.004481] dma_fence_chain_release+0xe7/0x130\n[117.004483] dma_fence_release+0xc1/0x3b0\n[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485] dma_fence_chain_irq_work+0x59/0x80\n[117.004487] irq_work_single+0x75/0xa0\n[117.004490] irq_work_r\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:30.496Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"
},
{
"url": "https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e"
},
{
"url": "https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"
},
{
"url": "https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f"
}
],
"title": "drm/vgem-fence: Fix potential deadlock on release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68757",
"datePublished": "2026-01-05T09:32:30.496Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:30.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68755 (GCVE-0-2025-68755)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
staging: most: remove broken i2c driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: most: remove broken i2c driver
The MOST I2C driver has been completely broken for five years without
anyone noticing so remove the driver from staging.
Specifically, commit 723de0f9171e ("staging: most: remove device from
interface structure") started requiring drivers to set the interface
device pointer before registration, but the I2C driver was never updated
which results in a NULL pointer dereference if anyone ever tries to
probe it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 6059a66dba7f26b21852831432e17075f1a1c783
(git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < e463548fd80e779efea1cb2d3049b8a7231e6925 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 495df2da6944477d282d5cc0c13174d06e25b310 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/most/Kconfig",
"drivers/staging/most/Makefile",
"drivers/staging/most/i2c/Kconfig",
"drivers/staging/most/i2c/Makefile",
"drivers/staging/most/i2c/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6059a66dba7f26b21852831432e17075f1a1c783",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "e463548fd80e779efea1cb2d3049b8a7231e6925",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "495df2da6944477d282d5cc0c13174d06e25b310",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/most/Kconfig",
"drivers/staging/most/Makefile",
"drivers/staging/most/i2c/Kconfig",
"drivers/staging/most/i2c/Makefile",
"drivers/staging/most/i2c/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: most: remove broken i2c driver\n\nThe MOST I2C driver has been completely broken for five years without\nanyone noticing so remove the driver from staging.\n\nSpecifically, commit 723de0f9171e (\"staging: most: remove device from\ninterface structure\") started requiring drivers to set the interface\ndevice pointer before registration, but the I2C driver was never updated\nwhich results in a NULL pointer dereference if anyone ever tries to\nprobe it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:29.149Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6059a66dba7f26b21852831432e17075f1a1c783"
},
{
"url": "https://git.kernel.org/stable/c/e463548fd80e779efea1cb2d3049b8a7231e6925"
},
{
"url": "https://git.kernel.org/stable/c/495df2da6944477d282d5cc0c13174d06e25b310"
}
],
"title": "staging: most: remove broken i2c driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68755",
"datePublished": "2026-01-05T09:32:29.149Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:29.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68756 (GCVE-0-2025-68756)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
blk_mq_{add,del}_queue_tag_set() functions add and remove queues from
tagset, the functions make sure that tagset and queues are marked as
shared when two or more queues are attached to the same tagset.
Initially a tagset starts as unshared and when the number of added
queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along
with all the queues attached to it. When the number of attached queues
drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and
the remaining queues as unshared.
Both functions need to freeze current queues in tagset before setting on
unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions
hold set->tag_list_lock mutex, which makes sense as we do not want
queues to be added or deleted in the process. This used to work fine
until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset")
made the nvme driver quiesce tagset instead of quiscing individual
queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in
set->tag_list while holding set->tag_list_lock also.
This results in deadlock between two threads with these stacktraces:
__schedule+0x47c/0xbb0
? timerqueue_add+0x66/0xb0
schedule+0x1c/0xa0
schedule_preempt_disabled+0xa/0x10
__mutex_lock.constprop.0+0x271/0x600
blk_mq_quiesce_tagset+0x25/0xc0
nvme_dev_disable+0x9c/0x250
nvme_timeout+0x1fc/0x520
blk_mq_handle_expired+0x5c/0x90
bt_iter+0x7e/0x90
blk_mq_queue_tag_busy_iter+0x27e/0x550
? __blk_mq_complete_request_remote+0x10/0x10
? __blk_mq_complete_request_remote+0x10/0x10
? __call_rcu_common.constprop.0+0x1c0/0x210
blk_mq_timeout_work+0x12d/0x170
process_one_work+0x12e/0x2d0
worker_thread+0x288/0x3a0
? rescuer_thread+0x480/0x480
kthread+0xb8/0xe0
? kthread_park+0x80/0x80
ret_from_fork+0x2d/0x50
? kthread_park+0x80/0x80
ret_from_fork_asm+0x11/0x20
__schedule+0x47c/0xbb0
? xas_find+0x161/0x1a0
schedule+0x1c/0xa0
blk_mq_freeze_queue_wait+0x3d/0x70
? destroy_sched_domains_rcu+0x30/0x30
blk_mq_update_tag_set_shared+0x44/0x80
blk_mq_exit_queue+0x141/0x150
del_gendisk+0x25a/0x2d0
nvme_ns_remove+0xc9/0x170
nvme_remove_namespaces+0xc7/0x100
nvme_remove+0x62/0x150
pci_device_remove+0x23/0x60
device_release_driver_internal+0x159/0x200
unbind_store+0x99/0xa0
kernfs_fop_write_iter+0x112/0x1e0
vfs_write+0x2b1/0x3d0
ksys_write+0x4e/0xb0
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The top stacktrace is showing nvme_timeout() called to handle nvme
command timeout. timeout handler is trying to disable the controller and
as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not
to call queue callback handlers. The thread is stuck waiting for
set->tag_list_lock as it tries to walk the queues in set->tag_list.
The lock is held by the second thread in the bottom stack which is
waiting for one of queues to be frozen. The queue usage counter will
drop to zero after nvme_timeout() finishes, and this will not happen
because the thread will wait for this mutex forever.
Given that [un]quiescing queue is an operation that does not need to
sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking
set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU
safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list)
in blk_mq_del_queue_tag_set() because we can not re-initialize it while
the list is being traversed under RCU. The deleted queue will not be
added/deleted to/from a tagset and it will be freed in blk_free_queue()
after the end of RCU grace period.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98d81f0df70ce6fc48517d938026e3c684b9051a , < 3baeec23a82e7ee9691f434c6ab0ab1387326108
(git)
Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < 6e8d363786765a81e35083e0909e076796468edf (git) Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < ef0cd7b694928573f6569e61c14f5f059253162e (git) Affected: 98d81f0df70ce6fc48517d938026e3c684b9051a , < 59e25ef2b413c72da6686d431e7759302cfccafa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3baeec23a82e7ee9691f434c6ab0ab1387326108",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "6e8d363786765a81e35083e0909e076796468edf",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "ef0cd7b694928573f6569e61c14f5f059253162e",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
},
{
"lessThan": "59e25ef2b413c72da6686d431e7759302cfccafa",
"status": "affected",
"version": "98d81f0df70ce6fc48517d938026e3c684b9051a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Use RCU in blk_mq_[un]quiesce_tagset() instead of set-\u003etag_list_lock\n\nblk_mq_{add,del}_queue_tag_set() functions add and remove queues from\ntagset, the functions make sure that tagset and queues are marked as\nshared when two or more queues are attached to the same tagset.\nInitially a tagset starts as unshared and when the number of added\nqueues reaches two, blk_mq_add_queue_tag_set() marks it as shared along\nwith all the queues attached to it. When the number of attached queues\ndrops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and\nthe remaining queues as unshared.\n\nBoth functions need to freeze current queues in tagset before setting on\nunsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions\nhold set-\u003etag_list_lock mutex, which makes sense as we do not want\nqueues to be added or deleted in the process. This used to work fine\nuntil commit 98d81f0df70c (\"nvme: use blk_mq_[un]quiesce_tagset\")\nmade the nvme driver quiesce tagset instead of quiscing individual\nqueues. blk_mq_quiesce_tagset() does the job and quiesce the queues in\nset-\u003etag_list while holding set-\u003etag_list_lock also.\n\nThis results in deadlock between two threads with these stacktraces:\n\n __schedule+0x47c/0xbb0\n ? timerqueue_add+0x66/0xb0\n schedule+0x1c/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.constprop.0+0x271/0x600\n blk_mq_quiesce_tagset+0x25/0xc0\n nvme_dev_disable+0x9c/0x250\n nvme_timeout+0x1fc/0x520\n blk_mq_handle_expired+0x5c/0x90\n bt_iter+0x7e/0x90\n blk_mq_queue_tag_busy_iter+0x27e/0x550\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __call_rcu_common.constprop.0+0x1c0/0x210\n blk_mq_timeout_work+0x12d/0x170\n process_one_work+0x12e/0x2d0\n worker_thread+0x288/0x3a0\n ? rescuer_thread+0x480/0x480\n kthread+0xb8/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n\n __schedule+0x47c/0xbb0\n ? xas_find+0x161/0x1a0\n schedule+0x1c/0xa0\n blk_mq_freeze_queue_wait+0x3d/0x70\n ? destroy_sched_domains_rcu+0x30/0x30\n blk_mq_update_tag_set_shared+0x44/0x80\n blk_mq_exit_queue+0x141/0x150\n del_gendisk+0x25a/0x2d0\n nvme_ns_remove+0xc9/0x170\n nvme_remove_namespaces+0xc7/0x100\n nvme_remove+0x62/0x150\n pci_device_remove+0x23/0x60\n device_release_driver_internal+0x159/0x200\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x112/0x1e0\n vfs_write+0x2b1/0x3d0\n ksys_write+0x4e/0xb0\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe top stacktrace is showing nvme_timeout() called to handle nvme\ncommand timeout. timeout handler is trying to disable the controller and\nas a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not\nto call queue callback handlers. The thread is stuck waiting for\nset-\u003etag_list_lock as it tries to walk the queues in set-\u003etag_list.\n\nThe lock is held by the second thread in the bottom stack which is\nwaiting for one of queues to be frozen. The queue usage counter will\ndrop to zero after nvme_timeout() finishes, and this will not happen\nbecause the thread will wait for this mutex forever.\n\nGiven that [un]quiescing queue is an operation that does not need to\nsleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking\nset-\u003etag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU\nsafe list operations. Also, delete INIT_LIST_HEAD(\u0026q-\u003etag_set_list)\nin blk_mq_del_queue_tag_set() because we can not re-initialize it while\nthe list is being traversed under RCU. The deleted queue will not be\nadded/deleted to/from a tagset and it will be freed in blk_free_queue()\nafter the end of RCU grace period."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:29.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3baeec23a82e7ee9691f434c6ab0ab1387326108"
},
{
"url": "https://git.kernel.org/stable/c/6e8d363786765a81e35083e0909e076796468edf"
},
{
"url": "https://git.kernel.org/stable/c/ef0cd7b694928573f6569e61c14f5f059253162e"
},
{
"url": "https://git.kernel.org/stable/c/59e25ef2b413c72da6686d431e7759302cfccafa"
}
],
"title": "block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set-\u003etag_list_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68756",
"datePublished": "2026-01-05T09:32:29.824Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:29.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68753 (GCVE-0-2025-68753)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.
Fix by adding a bounds check before put_user().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
634ec0b2906efd46f6f57977e172aa3470aca432 , < 0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f
(git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < df692cf2b601a54b34edfdb9e683d67483aa8ce1 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 298e753880b6ea99ac30df34959a7a03b0878eed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "df692cf2b601a54b34edfdb9e683d67483aa8ce1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "298e753880b6ea99ac30df34959a7a03b0878eed",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: add bounds check in put_user loop for DSP events\n\nIn the DSP event handling code, a put_user() loop copies event data.\nWhen the user buffer size is not aligned to 4 bytes, it could overwrite\nbeyond the buffer boundary.\n\nFix by adding a bounds check before put_user()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:27.029Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f"
},
{
"url": "https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1"
},
{
"url": "https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187"
},
{
"url": "https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed"
}
],
"title": "ALSA: firewire-motu: add bounds check in put_user loop for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68753",
"datePublished": "2026-01-05T09:32:27.029Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:27.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68754 (GCVE-0-2025-68754)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
rtc: amlogic-a4: fix double free caused by devm
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtc: amlogic-a4: fix double free caused by devm
The clock obtained via devm_clk_get_enabled() is automatically managed
by devres and will be disabled and freed on driver detach. Manually
calling clk_disable_unprepare() in error path and remove function
causes double free.
Remove the redundant clk_disable_unprepare() calls from the probe
error path and aml_rtc_remove(), allowing the devm framework to
automatically manage the clock lifecycle.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c89ac9182ee297597f1c6971045382bae19c3f9d , < 9fed02c16488050cd4e33e045506336b216d7301
(git)
Affected: c89ac9182ee297597f1c6971045382bae19c3f9d , < 2e1c79299036614ac32b251d145fad5391f4bcab (git) Affected: c89ac9182ee297597f1c6971045382bae19c3f9d , < 384150d7a5b60c1086790a8ee07b0629f906cca2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-amlogic-a4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fed02c16488050cd4e33e045506336b216d7301",
"status": "affected",
"version": "c89ac9182ee297597f1c6971045382bae19c3f9d",
"versionType": "git"
},
{
"lessThan": "2e1c79299036614ac32b251d145fad5391f4bcab",
"status": "affected",
"version": "c89ac9182ee297597f1c6971045382bae19c3f9d",
"versionType": "git"
},
{
"lessThan": "384150d7a5b60c1086790a8ee07b0629f906cca2",
"status": "affected",
"version": "c89ac9182ee297597f1c6971045382bae19c3f9d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-amlogic-a4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: amlogic-a4: fix double free caused by devm\n\nThe clock obtained via devm_clk_get_enabled() is automatically managed\nby devres and will be disabled and freed on driver detach. Manually\ncalling clk_disable_unprepare() in error path and remove function\ncauses double free.\n\nRemove the redundant clk_disable_unprepare() calls from the probe\nerror path and aml_rtc_remove(), allowing the devm framework to\nautomatically manage the clock lifecycle."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:27.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fed02c16488050cd4e33e045506336b216d7301"
},
{
"url": "https://git.kernel.org/stable/c/2e1c79299036614ac32b251d145fad5391f4bcab"
},
{
"url": "https://git.kernel.org/stable/c/384150d7a5b60c1086790a8ee07b0629f906cca2"
}
],
"title": "rtc: amlogic-a4: fix double free caused by devm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68754",
"datePublished": "2026-01-05T09:32:27.788Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:27.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68752 (GCVE-0-2025-68752)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
iavf: Implement settime64 with -EOPNOTSUPP
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: Implement settime64 with -EOPNOTSUPP
ptp_clock_settime() assumes every ptp_clock has implemented settime64().
Stub it with -EOPNOTSUPP to prevent a NULL dereference.
The fix is similar to commit 329d050bbe63 ("gve: Implement settime64
with -EOPNOTSUPP").
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d734223b2f0dc4f5826204ee628ad6273148223d , < 9e3dbc3bb2e2aa728b49422b2e5344488f93f690
(git)
Affected: d734223b2f0dc4f5826204ee628ad6273148223d , < 6d080f810ffd6b8e002ce5bee8b9c551ca2535c2 (git) Affected: d734223b2f0dc4f5826204ee628ad6273148223d , < 1e43ebcd5152b3e681a334cc6542fb21770c3a2e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e3dbc3bb2e2aa728b49422b2e5344488f93f690",
"status": "affected",
"version": "d734223b2f0dc4f5826204ee628ad6273148223d",
"versionType": "git"
},
{
"lessThan": "6d080f810ffd6b8e002ce5bee8b9c551ca2535c2",
"status": "affected",
"version": "d734223b2f0dc4f5826204ee628ad6273148223d",
"versionType": "git"
},
{
"lessThan": "1e43ebcd5152b3e681a334cc6542fb21770c3a2e",
"status": "affected",
"version": "d734223b2f0dc4f5826204ee628ad6273148223d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Implement settime64 with -EOPNOTSUPP\n\nptp_clock_settime() assumes every ptp_clock has implemented settime64().\nStub it with -EOPNOTSUPP to prevent a NULL dereference.\n\nThe fix is similar to commit 329d050bbe63 (\"gve: Implement settime64\nwith -EOPNOTSUPP\")."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:26.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e3dbc3bb2e2aa728b49422b2e5344488f93f690"
},
{
"url": "https://git.kernel.org/stable/c/6d080f810ffd6b8e002ce5bee8b9c551ca2535c2"
},
{
"url": "https://git.kernel.org/stable/c/1e43ebcd5152b3e681a334cc6542fb21770c3a2e"
}
],
"title": "iavf: Implement settime64 with -EOPNOTSUPP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68752",
"datePublished": "2026-01-05T09:32:26.308Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-05T09:32:26.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68751 (GCVE-0-2025-68751)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-05 09:32
VLAI?
Title
s390/fpu: Fix false-positive kmsan report in fpu_vstl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/fpu: Fix false-positive kmsan report in fpu_vstl()
A false-positive kmsan report is detected when running ping command.
An inline assembly instruction 'vstl' can write varied amount of bytes
depending on value of 'index' argument. If 'index' > 0, 'vstl' writes
at least 2 bytes.
clang generates kmsan write helper call depending on inline assembly
constraints. Constraints are evaluated compile-time, but value of
'index' argument is known only at runtime.
clang currently generates call to __msan_instrument_asm_store with 1 byte
as size. Manually call kmsan function to indicate correct amount of bytes
written and fix false-positive report.
This change fixes following kmsan reports:
[ 36.563119] =====================================================
[ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70
[ 36.563852] virtqueue_add+0x35c6/0x7c70
[ 36.564016] virtqueue_add_outbuf+0xa0/0xb0
[ 36.564266] start_xmit+0x288c/0x4a20
[ 36.564460] dev_hard_start_xmit+0x302/0x900
[ 36.564649] sch_direct_xmit+0x340/0xea0
[ 36.564894] __dev_queue_xmit+0x2e94/0x59b0
[ 36.565058] neigh_resolve_output+0x936/0xb40
[ 36.565278] __neigh_update+0x2f66/0x3a60
[ 36.565499] neigh_update+0x52/0x60
[ 36.565683] arp_process+0x1588/0x2de0
[ 36.565916] NF_HOOK+0x1da/0x240
[ 36.566087] arp_rcv+0x3e4/0x6e0
[ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0
[ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0
[ 36.566710] napi_complete_done+0x376/0x740
[ 36.566918] virtnet_poll+0x1bae/0x2910
[ 36.567130] __napi_poll+0xf4/0x830
[ 36.567294] net_rx_action+0x97c/0x1ed0
[ 36.567556] handle_softirqs+0x306/0xe10
[ 36.567731] irq_exit_rcu+0x14c/0x2e0
[ 36.567910] do_io_irq+0xd4/0x120
[ 36.568139] io_int_handler+0xc2/0xe8
[ 36.568299] arch_cpu_idle+0xb0/0xc0
[ 36.568540] arch_cpu_idle+0x76/0xc0
[ 36.568726] default_idle_call+0x40/0x70
[ 36.568953] do_idle+0x1d6/0x390
[ 36.569486] cpu_startup_entry+0x9a/0xb0
[ 36.569745] rest_init+0x1ea/0x290
[ 36.570029] start_kernel+0x95e/0xb90
[ 36.570348] startup_continue+0x2e/0x40
[ 36.570703]
[ 36.570798] Uninit was created at:
[ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0
[ 36.571261] kmalloc_reserve+0x12a/0x470
[ 36.571553] __alloc_skb+0x310/0x860
[ 36.571844] __ip_append_data+0x483e/0x6a30
[ 36.572170] ip_append_data+0x11c/0x1e0
[ 36.572477] raw_sendmsg+0x1c8c/0x2180
[ 36.572818] inet_sendmsg+0xe6/0x190
[ 36.573142] __sys_sendto+0x55e/0x8e0
[ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0
[ 36.573571] __do_syscall+0x12e/0x240
[ 36.573823] system_call+0x6e/0x90
[ 36.573976]
[ 36.574017] Byte 35 of 98 is uninitialized
[ 36.574082] Memory access of size 98 starts at 0000000007aa0012
[ 36.574218]
[ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE
[ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST
[ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux)
[ 36.574755] =====================================================
[ 63.532541] =====================================================
[ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70
[ 63.533989] virtqueue_add+0x35c6/0x7c70
[ 63.534940] virtqueue_add_outbuf+0xa0/0xb0
[ 63.535861] start_xmit+0x288c/0x4a20
[ 63.536708] dev_hard_start_xmit+0x302/0x900
[ 63.537020] sch_direct_xmit+0x340/0xea0
[ 63.537997] __dev_queue_xmit+0x2e94/0x59b0
[ 63.538819] neigh_resolve_output+0x936/0xb40
[ 63.539793] ip_finish_output2+0x1ee2/0x2200
[ 63.540784] __ip_finish_output+0x272/0x7a0
[ 63.541765] ip_finish_output+0x4e/0x5e0
[ 63.542791] ip_output+0x166/0x410
[ 63.543771] ip_push_pending_frames+0x1a2/0x470
[ 63.544753] raw_sendmsg+0x1f06/0x2180
[ 63.545033] inet_sendmsg+0xe6/0x190
[ 63.546006] __sys_sendto+0x55e/0x8e0
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dcd3e1de9d17dc43dfed87a9fc814b9dec508043 , < 946357a538bb47740635c25520924351d2d91544
(git)
Affected: dcd3e1de9d17dc43dfed87a9fc814b9dec508043 , < 13dcd6308cb8f67134ee5d5d762b2a66363c695b (git) Affected: dcd3e1de9d17dc43dfed87a9fc814b9dec508043 , < 14e4e4175b64dd9216b522f6ece8af6997d063b2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/include/asm/fpu-insn.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "946357a538bb47740635c25520924351d2d91544",
"status": "affected",
"version": "dcd3e1de9d17dc43dfed87a9fc814b9dec508043",
"versionType": "git"
},
{
"lessThan": "13dcd6308cb8f67134ee5d5d762b2a66363c695b",
"status": "affected",
"version": "dcd3e1de9d17dc43dfed87a9fc814b9dec508043",
"versionType": "git"
},
{
"lessThan": "14e4e4175b64dd9216b522f6ece8af6997d063b2",
"status": "affected",
"version": "dcd3e1de9d17dc43dfed87a9fc814b9dec508043",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/include/asm/fpu-insn.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/fpu: Fix false-positive kmsan report in fpu_vstl()\n\nA false-positive kmsan report is detected when running ping command.\n\nAn inline assembly instruction \u0027vstl\u0027 can write varied amount of bytes\ndepending on value of \u0027index\u0027 argument. If \u0027index\u0027 \u003e 0, \u0027vstl\u0027 writes\nat least 2 bytes.\n\nclang generates kmsan write helper call depending on inline assembly\nconstraints. Constraints are evaluated compile-time, but value of\n\u0027index\u0027 argument is known only at runtime.\n\nclang currently generates call to __msan_instrument_asm_store with 1 byte\nas size. Manually call kmsan function to indicate correct amount of bytes\nwritten and fix false-positive report.\n\nThis change fixes following kmsan reports:\n\n[ 36.563119] =====================================================\n[ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70\n[ 36.563852] virtqueue_add+0x35c6/0x7c70\n[ 36.564016] virtqueue_add_outbuf+0xa0/0xb0\n[ 36.564266] start_xmit+0x288c/0x4a20\n[ 36.564460] dev_hard_start_xmit+0x302/0x900\n[ 36.564649] sch_direct_xmit+0x340/0xea0\n[ 36.564894] __dev_queue_xmit+0x2e94/0x59b0\n[ 36.565058] neigh_resolve_output+0x936/0xb40\n[ 36.565278] __neigh_update+0x2f66/0x3a60\n[ 36.565499] neigh_update+0x52/0x60\n[ 36.565683] arp_process+0x1588/0x2de0\n[ 36.565916] NF_HOOK+0x1da/0x240\n[ 36.566087] arp_rcv+0x3e4/0x6e0\n[ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0\n[ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0\n[ 36.566710] napi_complete_done+0x376/0x740\n[ 36.566918] virtnet_poll+0x1bae/0x2910\n[ 36.567130] __napi_poll+0xf4/0x830\n[ 36.567294] net_rx_action+0x97c/0x1ed0\n[ 36.567556] handle_softirqs+0x306/0xe10\n[ 36.567731] irq_exit_rcu+0x14c/0x2e0\n[ 36.567910] do_io_irq+0xd4/0x120\n[ 36.568139] io_int_handler+0xc2/0xe8\n[ 36.568299] arch_cpu_idle+0xb0/0xc0\n[ 36.568540] arch_cpu_idle+0x76/0xc0\n[ 36.568726] default_idle_call+0x40/0x70\n[ 36.568953] do_idle+0x1d6/0x390\n[ 36.569486] cpu_startup_entry+0x9a/0xb0\n[ 36.569745] rest_init+0x1ea/0x290\n[ 36.570029] start_kernel+0x95e/0xb90\n[ 36.570348] startup_continue+0x2e/0x40\n[ 36.570703]\n[ 36.570798] Uninit was created at:\n[ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0\n[ 36.571261] kmalloc_reserve+0x12a/0x470\n[ 36.571553] __alloc_skb+0x310/0x860\n[ 36.571844] __ip_append_data+0x483e/0x6a30\n[ 36.572170] ip_append_data+0x11c/0x1e0\n[ 36.572477] raw_sendmsg+0x1c8c/0x2180\n[ 36.572818] inet_sendmsg+0xe6/0x190\n[ 36.573142] __sys_sendto+0x55e/0x8e0\n[ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0\n[ 36.573571] __do_syscall+0x12e/0x240\n[ 36.573823] system_call+0x6e/0x90\n[ 36.573976]\n[ 36.574017] Byte 35 of 98 is uninitialized\n[ 36.574082] Memory access of size 98 starts at 0000000007aa0012\n[ 36.574218]\n[ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE\n[ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST\n[ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux)\n[ 36.574755] =====================================================\n\n[ 63.532541] =====================================================\n[ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70\n[ 63.533989] virtqueue_add+0x35c6/0x7c70\n[ 63.534940] virtqueue_add_outbuf+0xa0/0xb0\n[ 63.535861] start_xmit+0x288c/0x4a20\n[ 63.536708] dev_hard_start_xmit+0x302/0x900\n[ 63.537020] sch_direct_xmit+0x340/0xea0\n[ 63.537997] __dev_queue_xmit+0x2e94/0x59b0\n[ 63.538819] neigh_resolve_output+0x936/0xb40\n[ 63.539793] ip_finish_output2+0x1ee2/0x2200\n[ 63.540784] __ip_finish_output+0x272/0x7a0\n[ 63.541765] ip_finish_output+0x4e/0x5e0\n[ 63.542791] ip_output+0x166/0x410\n[ 63.543771] ip_push_pending_frames+0x1a2/0x470\n[ 63.544753] raw_sendmsg+0x1f06/0x2180\n[ 63.545033] inet_sendmsg+0xe6/0x190\n[ 63.546006] __sys_sendto+0x55e/0x8e0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T09:32:25.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/946357a538bb47740635c25520924351d2d91544"
},
{
"url": "https://git.kernel.org/stable/c/13dcd6308cb8f67134ee5d5d762b2a66363c695b"
},
{
"url": "https://git.kernel.org/stable/c/14e4e4175b64dd9216b522f6ece8af6997d063b2"
}
],
"title": "s390/fpu: Fix false-positive kmsan report in fpu_vstl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68751",
"datePublished": "2026-01-05T09:32:25.534Z",
"dateReserved": "2025-12-24T10:30:51.032Z",
"dateUpdated": "2026-01-05T09:32:25.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54325 (GCVE-0-2023-54325)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
Title
crypto: qat - fix out-of-bounds read
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - fix out-of-bounds read
When preparing an AER-CTR request, the driver copies the key provided by
the user into a data structure that is accessible by the firmware.
If the target device is QAT GEN4, the key size is rounded up by 16 since
a rounded up size is expected by the device.
If the key size is rounded up before the copy, the size used for copying
the key might be bigger than the size of the region containing the key,
causing an out-of-bounds read.
Fix by doing the copy first and then update the keylen.
This is to fix the following warning reported by KASAN:
[ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]
[ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340
[ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45
[ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022
[ 138.150663] Call Trace:
[ 138.150668] <TASK>
[ 138.150922] kasan_check_range+0x13a/0x1c0
[ 138.150931] memcpy+0x1f/0x60
[ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]
[ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]
[ 138.151073] crypto_skcipher_setkey+0x82/0x160
[ 138.151085] ? prepare_keybuf+0xa2/0xd0
[ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
67916c9516893528ecce060ada1f58af0ce33d93 , < 7697139d5dfd491f4c495a914a1dd68f6e827a0f
(git)
Affected: 67916c9516893528ecce060ada1f58af0ce33d93 , < dc3809f390357c8992f0a23083da934a20fef9af (git) Affected: 67916c9516893528ecce060ada1f58af0ce33d93 , < 2b1501f058245573a3aa6bf234d205dde1196184 (git) Affected: 67916c9516893528ecce060ada1f58af0ce33d93 , < f6044cc3030e139f60c281386f28bda6e3049d66 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7697139d5dfd491f4c495a914a1dd68f6e827a0f",
"status": "affected",
"version": "67916c9516893528ecce060ada1f58af0ce33d93",
"versionType": "git"
},
{
"lessThan": "dc3809f390357c8992f0a23083da934a20fef9af",
"status": "affected",
"version": "67916c9516893528ecce060ada1f58af0ce33d93",
"versionType": "git"
},
{
"lessThan": "2b1501f058245573a3aa6bf234d205dde1196184",
"status": "affected",
"version": "67916c9516893528ecce060ada1f58af0ce33d93",
"versionType": "git"
},
{
"lessThan": "f6044cc3030e139f60c281386f28bda6e3049d66",
"status": "affected",
"version": "67916c9516893528ecce060ada1f58af0ce33d93",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - fix out-of-bounds read\n\nWhen preparing an AER-CTR request, the driver copies the key provided by\nthe user into a data structure that is accessible by the firmware.\nIf the target device is QAT GEN4, the key size is rounded up by 16 since\na rounded up size is expected by the device.\nIf the key size is rounded up before the copy, the size used for copying\nthe key might be bigger than the size of the region containing the key,\ncausing an out-of-bounds read.\n\nFix by doing the copy first and then update the keylen.\n\nThis is to fix the following warning reported by KASAN:\n\n\t[ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340\n\n\t[ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45\n\t[ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022\n\t[ 138.150663] Call Trace:\n\t[ 138.150668] \u003cTASK\u003e\n\t[ 138.150922] kasan_check_range+0x13a/0x1c0\n\t[ 138.150931] memcpy+0x1f/0x60\n\t[ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]\n\t[ 138.151073] crypto_skcipher_setkey+0x82/0x160\n\t[ 138.151085] ? prepare_keybuf+0xa2/0xd0\n\t[ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:09.015Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7697139d5dfd491f4c495a914a1dd68f6e827a0f"
},
{
"url": "https://git.kernel.org/stable/c/dc3809f390357c8992f0a23083da934a20fef9af"
},
{
"url": "https://git.kernel.org/stable/c/2b1501f058245573a3aa6bf234d205dde1196184"
},
{
"url": "https://git.kernel.org/stable/c/f6044cc3030e139f60c281386f28bda6e3049d66"
}
],
"title": "crypto: qat - fix out-of-bounds read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54325",
"datePublished": "2025-12-30T12:37:09.015Z",
"dateReserved": "2025-12-30T12:35:56.209Z",
"dateUpdated": "2025-12-30T12:37:09.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54326 (GCVE-0-2023-54326)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
Title
misc: pci_endpoint_test: Free IRQs before removing the device
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: pci_endpoint_test: Free IRQs before removing the device
In pci_endpoint_test_remove(), freeing the IRQs after removing the device
creates a small race window for IRQs to be received with the test device
memory already released, causing the IRQ handler to access invalid memory,
resulting in an oops.
Free the device IRQs before removing the device to avoid this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7
(git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < dd2210379205fcd23a9d8869b0cef90e3770577c (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521 (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 14bdee38e96c7d37ca15e7bea50411eee25fe315 (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55 (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 38d12bcf4e2ce3d285eb29644a79a54f42040fab (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < f61b7634a3249d12b9daa36ffbdb9965b6f24c6c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/pci_endpoint_test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "dd2210379205fcd23a9d8869b0cef90e3770577c",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "14bdee38e96c7d37ca15e7bea50411eee25fe315",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "38d12bcf4e2ce3d285eb29644a79a54f42040fab",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "f61b7634a3249d12b9daa36ffbdb9965b6f24c6c",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/pci_endpoint_test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Free IRQs before removing the device\n\nIn pci_endpoint_test_remove(), freeing the IRQs after removing the device\ncreates a small race window for IRQs to be received with the test device\nmemory already released, causing the IRQ handler to access invalid memory,\nresulting in an oops.\n\nFree the device IRQs before removing the device to avoid this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:09.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7"
},
{
"url": "https://git.kernel.org/stable/c/dd2210379205fcd23a9d8869b0cef90e3770577c"
},
{
"url": "https://git.kernel.org/stable/c/cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521"
},
{
"url": "https://git.kernel.org/stable/c/14bdee38e96c7d37ca15e7bea50411eee25fe315"
},
{
"url": "https://git.kernel.org/stable/c/c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55"
},
{
"url": "https://git.kernel.org/stable/c/38d12bcf4e2ce3d285eb29644a79a54f42040fab"
},
{
"url": "https://git.kernel.org/stable/c/f61b7634a3249d12b9daa36ffbdb9965b6f24c6c"
}
],
"title": "misc: pci_endpoint_test: Free IRQs before removing the device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54326",
"datePublished": "2025-12-30T12:37:09.698Z",
"dateReserved": "2025-12-30T12:35:56.209Z",
"dateUpdated": "2025-12-30T12:37:09.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54324 (GCVE-0-2023-54324)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2026-01-05 11:37
VLAI?
Title
dm: fix a race condition in retrieve_deps
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix a race condition in retrieve_deps
There's a race condition in the multipath target when retrieve_deps
races with multipath_message calling dm_get_device and dm_put_device.
retrieve_deps walks the list of open devices without holding any lock
but multipath may add or remove devices to the list while it is
running. The end result may be memory corruption or use-after-free
memory access.
See this description of a UAF with multipath_message():
https://listman.redhat.com/archives/dm-devel/2022-October/052373.html
Fix this bug by introducing a new rw semaphore "devices_lock". We grab
devices_lock for read in retrieve_deps and we grab it for write in
dm_get_device and dm_put_device.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dbf1a719850577bb51fc7512a3972994b797a17b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f6007dce0cd35d634d9be91ef3515a6385dcee16 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-core.h",
"drivers/md/dm-ioctl.c",
"drivers/md/dm-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf1a719850577bb51fc7512a3972994b797a17b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6007dce0cd35d634d9be91ef3515a6385dcee16",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-core.h",
"drivers/md/dm-ioctl.c",
"drivers/md/dm-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix a race condition in retrieve_deps\n\nThere\u0027s a race condition in the multipath target when retrieve_deps\nraces with multipath_message calling dm_get_device and dm_put_device.\nretrieve_deps walks the list of open devices without holding any lock\nbut multipath may add or remove devices to the list while it is\nrunning. The end result may be memory corruption or use-after-free\nmemory access.\n\nSee this description of a UAF with multipath_message():\nhttps://listman.redhat.com/archives/dm-devel/2022-October/052373.html\n\nFix this bug by introducing a new rw semaphore \"devices_lock\". We grab\ndevices_lock for read in retrieve_deps and we grab it for write in\ndm_get_device and dm_put_device."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:27.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf1a719850577bb51fc7512a3972994b797a17b"
},
{
"url": "https://git.kernel.org/stable/c/38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf"
},
{
"url": "https://git.kernel.org/stable/c/f6007dce0cd35d634d9be91ef3515a6385dcee16"
}
],
"title": "dm: fix a race condition in retrieve_deps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54324",
"datePublished": "2025-12-30T12:37:08.337Z",
"dateReserved": "2025-12-30T12:35:56.209Z",
"dateUpdated": "2026-01-05T11:37:27.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54323 (GCVE-0-2023-54323)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
Title
cxl/pmem: Fix nvdimm registration races
Summary
In the Linux kernel, the following vulnerability has been resolved:
cxl/pmem: Fix nvdimm registration races
A loop of the form:
while true; do modprobe cxl_pci; modprobe -r cxl_pci; done
...fails with the following crash signature:
BUG: kernel NULL pointer dereference, address: 0000000000000040
[..]
RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core]
[..]
Call Trace:
<TASK>
cxl_pmem_ctl+0x121/0x240 [cxl_pmem]
nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm]
nd_label_data_init+0x135/0x7e0 [libnvdimm]
nvdimm_probe+0xd6/0x1c0 [libnvdimm]
nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm]
really_probe+0xde/0x380
__driver_probe_device+0x78/0x170
driver_probe_device+0x1f/0x90
__device_attach_driver+0x85/0x110
bus_for_each_drv+0x7d/0xc0
__device_attach+0xb4/0x1e0
bus_probe_device+0x9f/0xc0
device_add+0x445/0x9c0
nd_async_device_register+0xe/0x40 [libnvdimm]
async_run_entry_fn+0x30/0x130
...namely that the bottom half of async nvdimm device registration runs
after the CXL has already torn down the context that cxl_pmem_ctl()
needs. Unlike the ACPI NFIT case that benefits from launching multiple
nvdimm device registrations in parallel from those listed in the table,
CXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a
synchronous registration path to preclude this scenario.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
21083f51521fb0f60dbac591f175c3ed48435af4 , < a371788d4f4a7f59eecd22644331d599979fd283
(git)
Affected: 21083f51521fb0f60dbac591f175c3ed48435af4 , < 18c65667fa9104780eeaa0dc1bc240f0c2094772 (git) Affected: 21083f51521fb0f60dbac591f175c3ed48435af4 , < f57aec443c24d2e8e1f3b5b4856aea12ddda4254 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cxl/pmem.c",
"drivers/nvdimm/bus.c",
"drivers/nvdimm/dimm_devs.c",
"drivers/nvdimm/nd-core.h",
"include/linux/libnvdimm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a371788d4f4a7f59eecd22644331d599979fd283",
"status": "affected",
"version": "21083f51521fb0f60dbac591f175c3ed48435af4",
"versionType": "git"
},
{
"lessThan": "18c65667fa9104780eeaa0dc1bc240f0c2094772",
"status": "affected",
"version": "21083f51521fb0f60dbac591f175c3ed48435af4",
"versionType": "git"
},
{
"lessThan": "f57aec443c24d2e8e1f3b5b4856aea12ddda4254",
"status": "affected",
"version": "21083f51521fb0f60dbac591f175c3ed48435af4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cxl/pmem.c",
"drivers/nvdimm/bus.c",
"drivers/nvdimm/dimm_devs.c",
"drivers/nvdimm/nd-core.h",
"include/linux/libnvdimm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pmem: Fix nvdimm registration races\n\nA loop of the form:\n\n while true; do modprobe cxl_pci; modprobe -r cxl_pci; done\n\n...fails with the following crash signature:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000040\n [..]\n RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core]\n [..]\n Call Trace:\n \u003cTASK\u003e\n cxl_pmem_ctl+0x121/0x240 [cxl_pmem]\n nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm]\n nd_label_data_init+0x135/0x7e0 [libnvdimm]\n nvdimm_probe+0xd6/0x1c0 [libnvdimm]\n nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm]\n really_probe+0xde/0x380\n __driver_probe_device+0x78/0x170\n driver_probe_device+0x1f/0x90\n __device_attach_driver+0x85/0x110\n bus_for_each_drv+0x7d/0xc0\n __device_attach+0xb4/0x1e0\n bus_probe_device+0x9f/0xc0\n device_add+0x445/0x9c0\n nd_async_device_register+0xe/0x40 [libnvdimm]\n async_run_entry_fn+0x30/0x130\n\n...namely that the bottom half of async nvdimm device registration runs\nafter the CXL has already torn down the context that cxl_pmem_ctl()\nneeds. Unlike the ACPI NFIT case that benefits from launching multiple\nnvdimm device registrations in parallel from those listed in the table,\nCXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a\nsynchronous registration path to preclude this scenario."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:07.656Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a371788d4f4a7f59eecd22644331d599979fd283"
},
{
"url": "https://git.kernel.org/stable/c/18c65667fa9104780eeaa0dc1bc240f0c2094772"
},
{
"url": "https://git.kernel.org/stable/c/f57aec443c24d2e8e1f3b5b4856aea12ddda4254"
}
],
"title": "cxl/pmem: Fix nvdimm registration races",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54323",
"datePublished": "2025-12-30T12:37:07.656Z",
"dateReserved": "2025-12-30T12:35:56.209Z",
"dateUpdated": "2025-12-30T12:37:07.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50889 (GCVE-0-2022-50889)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
Title
dm integrity: Fix UAF in dm_integrity_dtr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm integrity: Fix UAF in dm_integrity_dtr()
Dm_integrity also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.
Therefore, cancelling timer again in dm_integrity_dtr().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 792e51aac376cfb5bd527c2a30826223b82dd177
(git)
Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < a506b5c92757b034034ef683e667bffc456c600b (git) Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 9215b25f2e105032114e9b92c9783a2a84ee8af9 (git) Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 9f8e1e54a3a424c6c4fb8742e094789d3ec91e42 (git) Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < b6c93cd61afab061d80cc842333abca97b289774 (git) Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < f50cb2cbabd6c4a60add93d72451728f86e4791c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "792e51aac376cfb5bd527c2a30826223b82dd177",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "a506b5c92757b034034ef683e667bffc456c600b",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "9215b25f2e105032114e9b92c9783a2a84ee8af9",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "9f8e1e54a3a424c6c4fb8742e094789d3ec91e42",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "b6c93cd61afab061d80cc842333abca97b289774",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "f50cb2cbabd6c4a60add93d72451728f86e4791c",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm integrity: Fix UAF in dm_integrity_dtr()\n\nDm_integrity also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in dm_integrity_dtr()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:06.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/792e51aac376cfb5bd527c2a30826223b82dd177"
},
{
"url": "https://git.kernel.org/stable/c/a506b5c92757b034034ef683e667bffc456c600b"
},
{
"url": "https://git.kernel.org/stable/c/9215b25f2e105032114e9b92c9783a2a84ee8af9"
},
{
"url": "https://git.kernel.org/stable/c/9f8e1e54a3a424c6c4fb8742e094789d3ec91e42"
},
{
"url": "https://git.kernel.org/stable/c/b6c93cd61afab061d80cc842333abca97b289774"
},
{
"url": "https://git.kernel.org/stable/c/f50cb2cbabd6c4a60add93d72451728f86e4791c"
}
],
"title": "dm integrity: Fix UAF in dm_integrity_dtr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50889",
"datePublished": "2025-12-30T12:37:06.957Z",
"dateReserved": "2025-12-30T12:35:41.596Z",
"dateUpdated": "2025-12-30T12:37:06.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50888 (GCVE-0-2022-50888)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
Title
remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()
q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may
fail and return NULL. devm_ioremap() will use res->start as input, which
may causes null-ptr-deref. Check the ret value of
platform_get_resource_byname() to avoid the null-ptr-deref.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0af65b9b915e52019aee91db3e1f8b39a7ec8d08 , < 098ebb9089c4eedea09333f912d105fa63377496
(git)
Affected: 0af65b9b915e52019aee91db3e1f8b39a7ec8d08 , < 3afa88ae9911b65702a3aca9d92ea23fe496e56f (git) Affected: 0af65b9b915e52019aee91db3e1f8b39a7ec8d08 , < 0903a87490a9ed456ac765a84dcc484c1ee42c32 (git) Affected: 0af65b9b915e52019aee91db3e1f8b39a7ec8d08 , < f360e2b275efbb745ba0af8b47d9ef44221be586 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/qcom_q6v5_wcss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "098ebb9089c4eedea09333f912d105fa63377496",
"status": "affected",
"version": "0af65b9b915e52019aee91db3e1f8b39a7ec8d08",
"versionType": "git"
},
{
"lessThan": "3afa88ae9911b65702a3aca9d92ea23fe496e56f",
"status": "affected",
"version": "0af65b9b915e52019aee91db3e1f8b39a7ec8d08",
"versionType": "git"
},
{
"lessThan": "0903a87490a9ed456ac765a84dcc484c1ee42c32",
"status": "affected",
"version": "0af65b9b915e52019aee91db3e1f8b39a7ec8d08",
"versionType": "git"
},
{
"lessThan": "f360e2b275efbb745ba0af8b47d9ef44221be586",
"status": "affected",
"version": "0af65b9b915e52019aee91db3e1f8b39a7ec8d08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/qcom_q6v5_wcss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()\n\nq6v5_wcss_init_mmio() will call platform_get_resource_byname() that may\nfail and return NULL. devm_ioremap() will use res-\u003estart as input, which\nmay causes null-ptr-deref. Check the ret value of\nplatform_get_resource_byname() to avoid the null-ptr-deref."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:06.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/098ebb9089c4eedea09333f912d105fa63377496"
},
{
"url": "https://git.kernel.org/stable/c/3afa88ae9911b65702a3aca9d92ea23fe496e56f"
},
{
"url": "https://git.kernel.org/stable/c/0903a87490a9ed456ac765a84dcc484c1ee42c32"
},
{
"url": "https://git.kernel.org/stable/c/f360e2b275efbb745ba0af8b47d9ef44221be586"
}
],
"title": "remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50888",
"datePublished": "2025-12-30T12:37:06.269Z",
"dateReserved": "2025-12-30T12:35:41.595Z",
"dateUpdated": "2025-12-30T12:37:06.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50887 (GCVE-0-2022-50887)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
Title
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
I got the the following report:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /i2c/pmic@62/regulators/exten
In of_get_regulator(), the node is returned from of_parse_phandle()
with refcount incremented, after using it, of_node_put() need be called.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 0e88505ac0a6ae97746bcdbd4b042ee9f20455ae
(git)
Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 4dfcf5087db9a34a300d6b99009232d4537c3e6a (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 3ac888db0f67813d91373a9a61c840f815cd4ec9 (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < d39937f8de641c44a337cec4a2e5d3e8add20a7d (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < f48c474efe05cf9ce5e535b5e0ddd710e963936c (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < cda1895f3b7f324ece1614308a815a3994983b97 (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 2b93c58adddd98812ad928bbc2063038f3df1ffd (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 2f98469c3141f8e42ba11075a273fb795bbad57f (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e88505ac0a6ae97746bcdbd4b042ee9f20455ae",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "4dfcf5087db9a34a300d6b99009232d4537c3e6a",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "3ac888db0f67813d91373a9a61c840f815cd4ec9",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "d39937f8de641c44a337cec4a2e5d3e8add20a7d",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "f48c474efe05cf9ce5e535b5e0ddd710e963936c",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "cda1895f3b7f324ece1614308a815a3994983b97",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "2b93c58adddd98812ad928bbc2063038f3df1ffd",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "2f98469c3141f8e42ba11075a273fb795bbad57f",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "f2b41b748c19962b82709d9f23c6b2b0ce9d2f91",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix unbalanced of node refcount in regulator_dev_lookup()\n\nI got the the following report:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 2,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /i2c/pmic@62/regulators/exten\n\nIn of_get_regulator(), the node is returned from of_parse_phandle()\nwith refcount incremented, after using it, of_node_put() need be called."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:05.505Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e88505ac0a6ae97746bcdbd4b042ee9f20455ae"
},
{
"url": "https://git.kernel.org/stable/c/4dfcf5087db9a34a300d6b99009232d4537c3e6a"
},
{
"url": "https://git.kernel.org/stable/c/3ac888db0f67813d91373a9a61c840f815cd4ec9"
},
{
"url": "https://git.kernel.org/stable/c/d39937f8de641c44a337cec4a2e5d3e8add20a7d"
},
{
"url": "https://git.kernel.org/stable/c/f48c474efe05cf9ce5e535b5e0ddd710e963936c"
},
{
"url": "https://git.kernel.org/stable/c/cda1895f3b7f324ece1614308a815a3994983b97"
},
{
"url": "https://git.kernel.org/stable/c/2b93c58adddd98812ad928bbc2063038f3df1ffd"
},
{
"url": "https://git.kernel.org/stable/c/2f98469c3141f8e42ba11075a273fb795bbad57f"
},
{
"url": "https://git.kernel.org/stable/c/f2b41b748c19962b82709d9f23c6b2b0ce9d2f91"
}
],
"title": "regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50887",
"datePublished": "2025-12-30T12:37:05.505Z",
"dateReserved": "2025-12-30T12:35:41.595Z",
"dateUpdated": "2025-12-30T12:37:05.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54322 (GCVE-0-2023-54322)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2026-01-05 11:37
VLAI?
Title
arm64: set __exception_irq_entry with __irq_entry as a default
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: set __exception_irq_entry with __irq_entry as a default
filter_irq_stacks() is supposed to cut entries which are related irq entries
from its call stack.
And in_irqentry_text() which is called by filter_irq_stacks()
uses __irqentry_text_start/end symbol to find irq entries in callstack.
But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER",
arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq
between __irqentry_text_start and __irqentry_text_end as we discussed in below link.
https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t
This problem can makes unintentional deep call stack entries especially
in KASAN enabled situation as below.
[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity
[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c
[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c
[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c
[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0
[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000
[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd
[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040
[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000
[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20
[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8
[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800
[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8
[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c
[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022
[ 2479.386231]I[0:launcher-loader: 1719] Call trace:
[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c
[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70
[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138
[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24
[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170
[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20
[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c
[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28
[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0
[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80
[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98
[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c
[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0
[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300
[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c
[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4
[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0
[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300
[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c
[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304
[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160
[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194
[ 2479.386833]I
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f , < c71d6934c6ac40a97146a410e0320768c7b1bb3c
(git)
Affected: 9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f , < 0bd309f22663f3ee749bea0b6d70642c31a1c0a5 (git) Affected: 9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f , < d3b219e504fc5c5a25fa7c04c8589ff34baef9a8 (git) Affected: 9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f , < f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/exception.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c71d6934c6ac40a97146a410e0320768c7b1bb3c",
"status": "affected",
"version": "9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f",
"versionType": "git"
},
{
"lessThan": "0bd309f22663f3ee749bea0b6d70642c31a1c0a5",
"status": "affected",
"version": "9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f",
"versionType": "git"
},
{
"lessThan": "d3b219e504fc5c5a25fa7c04c8589ff34baef9a8",
"status": "affected",
"version": "9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f",
"versionType": "git"
},
{
"lessThan": "f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3",
"status": "affected",
"version": "9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/exception.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: set __exception_irq_entry with __irq_entry as a default\n\nfilter_irq_stacks() is supposed to cut entries which are related irq entries\nfrom its call stack.\nAnd in_irqentry_text() which is called by filter_irq_stacks()\nuses __irqentry_text_start/end symbol to find irq entries in callstack.\n\nBut it doesn\u0027t work correctly as without \"CONFIG_FUNCTION_GRAPH_TRACER\",\narm64 kernel doesn\u0027t include gic_handle_irq which is entry point of arm64 irq\nbetween __irqentry_text_start and __irqentry_text_end as we discussed in below link.\nhttps://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t\n\nThis problem can makes unintentional deep call stack entries especially\nin KASAN enabled situation as below.\n\n[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity\n[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c\n[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c\n[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c\n[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0\n[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000\n[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd\n[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040\n[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000\n[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20\n[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8\n[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800\n[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8\n[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c\n[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022\n[ 2479.386231]I[0:launcher-loader: 1719] Call trace:\n[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c\n[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70\n[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138\n[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24\n[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170\n[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20\n[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c\n[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28\n[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0\n[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80\n[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98\n[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c\n[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0\n[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300\n[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c\n[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4\n[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0\n[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300\n[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c\n[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304\n[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160\n[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194\n[ 2479.386833]I\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:26.117Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c71d6934c6ac40a97146a410e0320768c7b1bb3c"
},
{
"url": "https://git.kernel.org/stable/c/0bd309f22663f3ee749bea0b6d70642c31a1c0a5"
},
{
"url": "https://git.kernel.org/stable/c/d3b219e504fc5c5a25fa7c04c8589ff34baef9a8"
},
{
"url": "https://git.kernel.org/stable/c/f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3"
}
],
"title": "arm64: set __exception_irq_entry with __irq_entry as a default",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54322",
"datePublished": "2025-12-30T12:34:15.446Z",
"dateReserved": "2025-12-30T12:28:53.860Z",
"dateUpdated": "2026-01-05T11:37:26.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54320 (GCVE-0-2023-54320)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2026-01-05 11:37
VLAI?
Title
platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()
Function amd_pmc_stb_debugfs_open_v2() may be called when the STB
debug mechanism enabled.
When amd_pmc_send_cmd() fails, the 'buf' needs to be released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d804adef7b23b22bb82e1b3dd113e9073cea9bc1",
"status": "affected",
"version": "1ecfd30960d4377c2d85181608936dedd35bb171",
"versionType": "git"
},
{
"lessThan": "f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7",
"status": "affected",
"version": "1ecfd30960d4377c2d85181608936dedd35bb171",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()\n\nFunction amd_pmc_stb_debugfs_open_v2() may be called when the STB\ndebug mechanism enabled.\n\nWhen amd_pmc_send_cmd() fails, the \u0027buf\u0027 needs to be released."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:24.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d804adef7b23b22bb82e1b3dd113e9073cea9bc1"
},
{
"url": "https://git.kernel.org/stable/c/f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7"
}
],
"title": "platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54320",
"datePublished": "2025-12-30T12:34:14.133Z",
"dateReserved": "2025-12-30T12:28:53.860Z",
"dateUpdated": "2026-01-05T11:37:24.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54321 (GCVE-0-2023-54321)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
Title
driver core: fix potential null-ptr-deref in device_add()
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: fix potential null-ptr-deref in device_add()
I got the following null-ptr-deref report while doing fault injection test:
BUG: kernel NULL pointer dereference, address: 0000000000000058
CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+
RIP: 0010:klist_put+0x2d/0xd0
Call Trace:
<TASK>
klist_remove+0xf1/0x1c0
device_release_driver_internal+0x196/0x210
bus_remove_device+0x1bd/0x240
device_add+0xd3d/0x1100
w1_add_master_device+0x476/0x490 [wire]
ds2482_probe+0x303/0x3e0 [ds2482]
This is how it happened:
w1_alloc_dev()
// The dev->driver is set to w1_master_driver.
memcpy(&dev->dev, device, sizeof(struct device));
device_add()
bus_add_device()
dpm_sysfs_add() // It fails, calls bus_remove_device.
// error path
bus_remove_device()
// The dev->driver is not null, but driver is not bound.
__device_release_driver()
klist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref.
// normal path
bus_probe_device() // It's not called yet.
device_bind_driver()
If dev->driver is set, in the error path after calling bus_add_device()
in device_add(), bus_remove_device() is called, then the device will be
detached from driver. But device_bind_driver() is not called yet, so it
causes null-ptr-deref while access the 'knode_driver'. To fix this, set
dev->driver to null in the error path before calling bus_remove_device().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
57eee3d23e8833ca18708b374c648235691942ba , < 2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3
(git)
Affected: 57eee3d23e8833ca18708b374c648235691942ba , < 7cf515bf9e8c2908dc170ecf2df117162a16c9c5 (git) Affected: 57eee3d23e8833ca18708b374c648235691942ba , < 17982304806c5c10924e73f7ca5556e0d7378452 (git) Affected: 57eee3d23e8833ca18708b374c648235691942ba , < f6837f34a34973ef6600c08195ed300e24e97317 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3",
"status": "affected",
"version": "57eee3d23e8833ca18708b374c648235691942ba",
"versionType": "git"
},
{
"lessThan": "7cf515bf9e8c2908dc170ecf2df117162a16c9c5",
"status": "affected",
"version": "57eee3d23e8833ca18708b374c648235691942ba",
"versionType": "git"
},
{
"lessThan": "17982304806c5c10924e73f7ca5556e0d7378452",
"status": "affected",
"version": "57eee3d23e8833ca18708b374c648235691942ba",
"versionType": "git"
},
{
"lessThan": "f6837f34a34973ef6600c08195ed300e24e97317",
"status": "affected",
"version": "57eee3d23e8833ca18708b374c648235691942ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential null-ptr-deref in device_add()\n\nI got the following null-ptr-deref report while doing fault injection test:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000058\nCPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+\nRIP: 0010:klist_put+0x2d/0xd0\nCall Trace:\n \u003cTASK\u003e\n klist_remove+0xf1/0x1c0\n device_release_driver_internal+0x196/0x210\n bus_remove_device+0x1bd/0x240\n device_add+0xd3d/0x1100\n w1_add_master_device+0x476/0x490 [wire]\n ds2482_probe+0x303/0x3e0 [ds2482]\n\nThis is how it happened:\n\nw1_alloc_dev()\n // The dev-\u003edriver is set to w1_master_driver.\n memcpy(\u0026dev-\u003edev, device, sizeof(struct device));\n device_add()\n bus_add_device()\n dpm_sysfs_add() // It fails, calls bus_remove_device.\n\n // error path\n bus_remove_device()\n // The dev-\u003edriver is not null, but driver is not bound.\n __device_release_driver()\n klist_remove(\u0026dev-\u003ep-\u003eknode_driver) \u003c-- It causes null-ptr-deref.\n\n // normal path\n bus_probe_device() // It\u0027s not called yet.\n device_bind_driver()\n\nIf dev-\u003edriver is set, in the error path after calling bus_add_device()\nin device_add(), bus_remove_device() is called, then the device will be\ndetached from driver. But device_bind_driver() is not called yet, so it\ncauses null-ptr-deref while access the \u0027knode_driver\u0027. To fix this, set\ndev-\u003edriver to null in the error path before calling bus_remove_device()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:34:14.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3"
},
{
"url": "https://git.kernel.org/stable/c/7cf515bf9e8c2908dc170ecf2df117162a16c9c5"
},
{
"url": "https://git.kernel.org/stable/c/17982304806c5c10924e73f7ca5556e0d7378452"
},
{
"url": "https://git.kernel.org/stable/c/f6837f34a34973ef6600c08195ed300e24e97317"
}
],
"title": "driver core: fix potential null-ptr-deref in device_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54321",
"datePublished": "2025-12-30T12:34:14.793Z",
"dateReserved": "2025-12-30T12:28:53.860Z",
"dateUpdated": "2025-12-30T12:34:14.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54319 (GCVE-0-2023-54319)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
Title
pinctrl: at91-pio4: check return value of devm_kasprintf()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: at91-pio4: check return value of devm_kasprintf()
devm_kasprintf() returns a pointer to dynamically allocated memory.
Pointer could be NULL in case allocation fails. Check pointer validity.
Identified with coccinelle (kmerr.cocci script).
Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks")
Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
776180848b574c9c01217fa958f10843ffce584f , < 8d788f2ba830d6d32499b198c526d577c590eedf
(git)
Affected: 776180848b574c9c01217fa958f10843ffce584f , < 3e8ce1d5a1a9d758b359e5c426543957f35991f8 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < aa3932eb07392d626486428e2ffddc660658e22a (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < f3c7b95c9991dab02e616fc251b6c3516e0bd0ac (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < 0a95dd17a73b7603818ad7c46c99d757232be331 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < 0af388fce352ed2ab383fd5d1a08db551ca15c38 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < 5bfd577cc728270d6cd7af6c652a1e7661f25487 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < 8a1fa202f47f39680a4305af744f499a324f8a03 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-at91-pio4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d788f2ba830d6d32499b198c526d577c590eedf",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "3e8ce1d5a1a9d758b359e5c426543957f35991f8",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "aa3932eb07392d626486428e2ffddc660658e22a",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "f3c7b95c9991dab02e616fc251b6c3516e0bd0ac",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "0a95dd17a73b7603818ad7c46c99d757232be331",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "0af388fce352ed2ab383fd5d1a08db551ca15c38",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "5bfd577cc728270d6cd7af6c652a1e7661f25487",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "8a1fa202f47f39680a4305af744f499a324f8a03",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-at91-pio4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: at91-pio4: check return value of devm_kasprintf()\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory.\nPointer could be NULL in case allocation fails. Check pointer validity.\nIdentified with coccinelle (kmerr.cocci script).\n\nDepends-on: 1c4e5c470a56 (\"pinctrl: at91: use devm_kasprintf() to avoid potential leaks\")\nDepends-on: 5a8f9cf269e8 (\"pinctrl: at91-pio4: use proper format specifier for unsigned int\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:34:13.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d788f2ba830d6d32499b198c526d577c590eedf"
},
{
"url": "https://git.kernel.org/stable/c/3e8ce1d5a1a9d758b359e5c426543957f35991f8"
},
{
"url": "https://git.kernel.org/stable/c/aa3932eb07392d626486428e2ffddc660658e22a"
},
{
"url": "https://git.kernel.org/stable/c/f3c7b95c9991dab02e616fc251b6c3516e0bd0ac"
},
{
"url": "https://git.kernel.org/stable/c/0a95dd17a73b7603818ad7c46c99d757232be331"
},
{
"url": "https://git.kernel.org/stable/c/0af388fce352ed2ab383fd5d1a08db551ca15c38"
},
{
"url": "https://git.kernel.org/stable/c/5bfd577cc728270d6cd7af6c652a1e7661f25487"
},
{
"url": "https://git.kernel.org/stable/c/8a1fa202f47f39680a4305af744f499a324f8a03"
},
{
"url": "https://git.kernel.org/stable/c/f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0"
}
],
"title": "pinctrl: at91-pio4: check return value of devm_kasprintf()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54319",
"datePublished": "2025-12-30T12:34:13.468Z",
"dateReserved": "2025-12-30T12:28:53.859Z",
"dateUpdated": "2025-12-30T12:34:13.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50886 (GCVE-0-2022-50886)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
Title
mmc: toshsd: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: toshsd: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host(), besides, free_irq() also needs be called.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 34ae492f8d172f0bd193c24cad588b35419ea47a
(git)
Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 3329e7b7132ca727263fb0ee214cf52cc6dcaaad (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 3dbb69a0242c31ea4c9eee22b1c41b515fe509a0 (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < aabbedcb6c9a72d12d35dc672e83f0c8064d8a61 (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 6444079767b68b1fbed0e7668081146e80dcb719 (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 647e370dd0ef7e212d8d014bda748e461eab2e8c (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < bfd77b194c94aefbde4efc30ddf8607dd9244672 (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < f670744a316ea983113a65313dcd387b5a992444 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/toshsd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34ae492f8d172f0bd193c24cad588b35419ea47a",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "3329e7b7132ca727263fb0ee214cf52cc6dcaaad",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "3dbb69a0242c31ea4c9eee22b1c41b515fe509a0",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "aabbedcb6c9a72d12d35dc672e83f0c8064d8a61",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "6444079767b68b1fbed0e7668081146e80dcb719",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "647e370dd0ef7e212d8d014bda748e461eab2e8c",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "bfd77b194c94aefbde4efc30ddf8607dd9244672",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "f670744a316ea983113a65313dcd387b5a992444",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/toshsd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: toshsd: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and goto error path which will call\nmmc_free_host(), besides, free_irq() also needs be called."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:34:12.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34ae492f8d172f0bd193c24cad588b35419ea47a"
},
{
"url": "https://git.kernel.org/stable/c/3329e7b7132ca727263fb0ee214cf52cc6dcaaad"
},
{
"url": "https://git.kernel.org/stable/c/4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff"
},
{
"url": "https://git.kernel.org/stable/c/3dbb69a0242c31ea4c9eee22b1c41b515fe509a0"
},
{
"url": "https://git.kernel.org/stable/c/aabbedcb6c9a72d12d35dc672e83f0c8064d8a61"
},
{
"url": "https://git.kernel.org/stable/c/6444079767b68b1fbed0e7668081146e80dcb719"
},
{
"url": "https://git.kernel.org/stable/c/647e370dd0ef7e212d8d014bda748e461eab2e8c"
},
{
"url": "https://git.kernel.org/stable/c/bfd77b194c94aefbde4efc30ddf8607dd9244672"
},
{
"url": "https://git.kernel.org/stable/c/f670744a316ea983113a65313dcd387b5a992444"
}
],
"title": "mmc: toshsd: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50886",
"datePublished": "2025-12-30T12:34:12.782Z",
"dateReserved": "2025-12-30T12:26:05.425Z",
"dateUpdated": "2025-12-30T12:34:12.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50885 (GCVE-0-2022-50885)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
Title
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
There is a null-ptr-deref when mount.cifs over rdma:
BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]
Read of size 8 at addr 0000000000000018 by task mount.cifs/3046
CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
kasan_report+0xad/0x130
rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]
execute_in_process_context+0x25/0x90
__rxe_cleanup+0x101/0x1d0 [rdma_rxe]
rxe_create_qp+0x16a/0x180 [rdma_rxe]
create_qp.part.0+0x27d/0x340
ib_create_qp_kernel+0x73/0x160
rdma_create_qp+0x100/0x230
_smbd_get_connection+0x752/0x20f0
smbd_get_connection+0x21/0x40
cifs_get_tcp_session+0x8ef/0xda0
mount_get_conns+0x60/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The root cause of the issue is the socket create failed in
rxe_qp_init_req().
So move the reset rxe_qp_do_cleanup() after the NULL ptr check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < ee24de095569935eba600f7735e8e8ddea5b418e
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 7340ca9f782be6fbe3f64a134dc112772764f766 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bd7106a6004f1077a365ca7f5a99c7a708e20714 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 6bb5a62bfd624039b05157745c234068508393a9 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f64f08b9e6fb305a25dd75329e06ae342b9ce336 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 5b924632d84a60bc0c7fe6e9bbbce99d03908957 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 821f9a18210f6b9fd6792471714c799607b25db4 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f67376d801499f4fa0838c18c1efcad8840e550d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee24de095569935eba600f7735e8e8ddea5b418e",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "7340ca9f782be6fbe3f64a134dc112772764f766",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "bd7106a6004f1077a365ca7f5a99c7a708e20714",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "6bb5a62bfd624039b05157745c234068508393a9",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "f64f08b9e6fb305a25dd75329e06ae342b9ce336",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "5b924632d84a60bc0c7fe6e9bbbce99d03908957",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "821f9a18210f6b9fd6792471714c799607b25db4",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "f67376d801499f4fa0838c18c1efcad8840e550d",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed\n\nThere is a null-ptr-deref when mount.cifs over rdma:\n\n BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\n Read of size 8 at addr 0000000000000018 by task mount.cifs/3046\n\n CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n kasan_report+0xad/0x130\n rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\n execute_in_process_context+0x25/0x90\n __rxe_cleanup+0x101/0x1d0 [rdma_rxe]\n rxe_create_qp+0x16a/0x180 [rdma_rxe]\n create_qp.part.0+0x27d/0x340\n ib_create_qp_kernel+0x73/0x160\n rdma_create_qp+0x100/0x230\n _smbd_get_connection+0x752/0x20f0\n smbd_get_connection+0x21/0x40\n cifs_get_tcp_session+0x8ef/0xda0\n mount_get_conns+0x60/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe root cause of the issue is the socket create failed in\nrxe_qp_init_req().\n\nSo move the reset rxe_qp_do_cleanup() after the NULL ptr check."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:34:12.093Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee24de095569935eba600f7735e8e8ddea5b418e"
},
{
"url": "https://git.kernel.org/stable/c/7340ca9f782be6fbe3f64a134dc112772764f766"
},
{
"url": "https://git.kernel.org/stable/c/bd7106a6004f1077a365ca7f5a99c7a708e20714"
},
{
"url": "https://git.kernel.org/stable/c/6bb5a62bfd624039b05157745c234068508393a9"
},
{
"url": "https://git.kernel.org/stable/c/f64f08b9e6fb305a25dd75329e06ae342b9ce336"
},
{
"url": "https://git.kernel.org/stable/c/5b924632d84a60bc0c7fe6e9bbbce99d03908957"
},
{
"url": "https://git.kernel.org/stable/c/821f9a18210f6b9fd6792471714c799607b25db4"
},
{
"url": "https://git.kernel.org/stable/c/f67376d801499f4fa0838c18c1efcad8840e550d"
}
],
"title": "RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50885",
"datePublished": "2025-12-30T12:34:12.093Z",
"dateReserved": "2025-12-30T12:26:05.425Z",
"dateUpdated": "2025-12-30T12:34:12.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50884 (GCVE-0-2022-50884)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2026-01-02 15:05
VLAI?
Title
drm: Prevent drm_copy_field() to attempt copying a NULL pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: Prevent drm_copy_field() to attempt copying a NULL pointer
There are some struct drm_driver fields that are required by drivers since
drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.
But it can be possible that a driver has a bug and did not set some of the
fields, which leads to drm_copy_field() attempting to copy a NULL pointer:
[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[ +0.010955] Mem abort info:
[ +0.002835] ESR = 0x0000000096000004
[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits
[ +0.005395] SET = 0, FnV = 0
[ +0.003113] EA = 0, S1PTW = 0
[ +0.003182] FSC = 0x04: level 0 translation fault
[ +0.004964] Data abort info:
[ +0.002919] ISV = 0, ISS = 0x00000004
[ +0.003886] CM = 0, WnR = 0
[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000
[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[ +0.006925] Internal error: Oops: 96000004 [#1] SMP
...
[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ +0.007061] pc : __pi_strlen+0x14/0x150
[ +0.003895] lr : drm_copy_field+0x30/0x1a4
[ +0.004156] sp : ffff8000094b3a50
[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040
[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040
[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000
[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000
[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40
[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8
[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141
[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000
[ +0.007240] Call trace:
[ +0.002475] __pi_strlen+0x14/0x150
[ +0.003537] drm_version+0x84/0xac
[ +0.003448] drm_ioctl_kernel+0xa8/0x16c
[ +0.003975] drm_ioctl+0x270/0x580
[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc
[ +0.003978] invoke_syscall+0x78/0x100
[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4
[ +0.004767] do_el0_svc+0x38/0x4c
[ +0.003357] el0_svc+0x34/0x100
[ +0.003185] el0t_64_sync_handler+0x11c/0x150
[ +0.004418] el0t_64_sync+0x190/0x194
[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)
[ +0.006180] ---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
22eae947bf76e236ba972f2f11cfd1b083b736ad , < d213914386a0ede76a4549b41de30192fb92c595
(git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < ee9885cd936aad88f84d0cf90bf9a70e83e42a97 (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 8052612b9d08048ebbebcb572894670b4ac07d2f (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < cdde55f97298e5bb9af6d41c9303a3ec545a370e (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < c28a8082b25ce4ec94999e10a30c50d20bd44a25 (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < ca163e389f0ae096a4e1e19f0a95e60ed80b4e31 (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 2d6708ea5c2033ff53267feff1876a717689989f (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 6cf5e9356b2d856403ee480f987f3ea64dbf8d8c (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < f6ee30407e883042482ad4ad30da5eaba47872ee (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d213914386a0ede76a4549b41de30192fb92c595",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "ee9885cd936aad88f84d0cf90bf9a70e83e42a97",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "8052612b9d08048ebbebcb572894670b4ac07d2f",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "cdde55f97298e5bb9af6d41c9303a3ec545a370e",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "c28a8082b25ce4ec94999e10a30c50d20bd44a25",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "ca163e389f0ae096a4e1e19f0a95e60ed80b4e31",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "2d6708ea5c2033ff53267feff1876a717689989f",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "6cf5e9356b2d856403ee480f987f3ea64dbf8d8c",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "f6ee30407e883042482ad4ad30da5eaba47872ee",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Prevent drm_copy_field() to attempt copying a NULL pointer\n\nThere are some struct drm_driver fields that are required by drivers since\ndrm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.\n\nBut it can be possible that a driver has a bug and did not set some of the\nfields, which leads to drm_copy_field() attempting to copy a NULL pointer:\n\n[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[ +0.010955] Mem abort info:\n[ +0.002835] ESR = 0x0000000096000004\n[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits\n[ +0.005395] SET = 0, FnV = 0\n[ +0.003113] EA = 0, S1PTW = 0\n[ +0.003182] FSC = 0x04: level 0 translation fault\n[ +0.004964] Data abort info:\n[ +0.002919] ISV = 0, ISS = 0x00000004\n[ +0.003886] CM = 0, WnR = 0\n[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000\n[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ +0.006925] Internal error: Oops: 96000004 [#1] SMP\n...\n[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ +0.007061] pc : __pi_strlen+0x14/0x150\n[ +0.003895] lr : drm_copy_field+0x30/0x1a4\n[ +0.004156] sp : ffff8000094b3a50\n[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040\n[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040\n[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000\n[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000\n[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40\n[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8\n[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141\n[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000\n[ +0.007240] Call trace:\n[ +0.002475] __pi_strlen+0x14/0x150\n[ +0.003537] drm_version+0x84/0xac\n[ +0.003448] drm_ioctl_kernel+0xa8/0x16c\n[ +0.003975] drm_ioctl+0x270/0x580\n[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc\n[ +0.003978] invoke_syscall+0x78/0x100\n[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4\n[ +0.004767] do_el0_svc+0x38/0x4c\n[ +0.003357] el0_svc+0x34/0x100\n[ +0.003185] el0t_64_sync_handler+0x11c/0x150\n[ +0.004418] el0t_64_sync+0x190/0x194\n[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)\n[ +0.006180] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:18.258Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d213914386a0ede76a4549b41de30192fb92c595"
},
{
"url": "https://git.kernel.org/stable/c/ee9885cd936aad88f84d0cf90bf9a70e83e42a97"
},
{
"url": "https://git.kernel.org/stable/c/8052612b9d08048ebbebcb572894670b4ac07d2f"
},
{
"url": "https://git.kernel.org/stable/c/cdde55f97298e5bb9af6d41c9303a3ec545a370e"
},
{
"url": "https://git.kernel.org/stable/c/c28a8082b25ce4ec94999e10a30c50d20bd44a25"
},
{
"url": "https://git.kernel.org/stable/c/ca163e389f0ae096a4e1e19f0a95e60ed80b4e31"
},
{
"url": "https://git.kernel.org/stable/c/2d6708ea5c2033ff53267feff1876a717689989f"
},
{
"url": "https://git.kernel.org/stable/c/6cf5e9356b2d856403ee480f987f3ea64dbf8d8c"
},
{
"url": "https://git.kernel.org/stable/c/f6ee30407e883042482ad4ad30da5eaba47872ee"
}
],
"title": "drm: Prevent drm_copy_field() to attempt copying a NULL pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50884",
"datePublished": "2025-12-30T12:34:11.390Z",
"dateReserved": "2025-12-30T12:26:05.425Z",
"dateUpdated": "2026-01-02T15:05:18.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}