Refine your search
3293 vulnerabilities found for by Linux
CVE-2025-68325 (GCVE-0-2025-68325)
Vulnerability from cvelistv5
Published
2025-12-18 15:02
Modified
2025-12-18 15:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ff57186b2cc39766672c4c0332323933e5faaa88 Version: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 Version: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 Version: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 Version: 7689ab22de36f8db19095f6bdf11f28cfde92f5c Version: de04ddd2980b48caa8d7e24a7db2742917a8b280 Version: 0dacfc5372e314d1219f03e64dde3ab495a5a25e Version: 710866fc0a64eafcb8bacd91bcb1329eb7e5035f Version: aa12ee1c1bd260943fd6ab556d8635811c332eeb Version: 62d591dde4defb1333d202410609c4ddeae060b3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b6216f9b3d1c33c76f74511026e5de5385ee520",
"status": "affected",
"version": "ff57186b2cc39766672c4c0332323933e5faaa88",
"versionType": "git"
},
{
"lessThan": "529c284cc2815c8350860e9a31722050fe7117cb",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "3ed6c458530a547ed0c9ea0b02b19bab620be88b",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "9fefc78f7f02d71810776fdeb119a05a946a27cc",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"status": "affected",
"version": "7689ab22de36f8db19095f6bdf11f28cfde92f5c",
"versionType": "git"
},
{
"status": "affected",
"version": "de04ddd2980b48caa8d7e24a7db2742917a8b280",
"versionType": "git"
},
{
"status": "affected",
"version": "0dacfc5372e314d1219f03e64dde3ab495a5a25e",
"versionType": "git"
},
{
"status": "affected",
"version": "710866fc0a64eafcb8bacd91bcb1329eb7e5035f",
"versionType": "git"
},
{
"status": "affected",
"version": "aa12ee1c1bd260943fd6ab556d8635811c332eeb",
"versionType": "git"
},
{
"status": "affected",
"version": "62d591dde4defb1333d202410609c4ddeae060b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_cake: Fix incorrect qlen reduction in cake_drop\n\nIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen\nand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes\nthat the parent qdisc will enqueue the current packet. However, this\nassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent\nqdisc stops enqueuing current packet, leaving the tree qlen/backlog\naccounting inconsistent. This mismatch can lead to a NULL dereference\n(e.g., when the parent Qdisc is qfq_qdisc).\n\nThis patch computes the qlen/backlog delta in a more robust way by\nobserving the difference before and after the series of cake_drop()\ncalls, and then compensates the qdisc tree accounting if cake_enqueue()\nreturns NET_XMIT_CN.\n\nTo ensure correct compensation when ACK thinning is enabled, a new\nvariable is introduced to keep qlen unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:02:50.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520"
},
{
"url": "https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb"
},
{
"url": "https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b"
},
{
"url": "https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc"
}
],
"title": "net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68325",
"datePublished": "2025-12-18T15:02:50.214Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-18T15:02:50.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68324 (GCVE-0-2025-68324)
Vulnerability from cvelistv5
Published
2025-12-18 15:02
Modified
2025-12-18 15:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: imm: Fix use-after-free bug caused by unfinished delayed work
The delayed work item 'imm_tq' is initialized in imm_attach() and
scheduled via imm_queuecommand() for processing SCSI commands. When the
IMM parallel port SCSI host adapter is detached through imm_detach(),
the imm_struct device instance is deallocated.
However, the delayed work might still be pending or executing
when imm_detach() is called, leading to use-after-free bugs
when the work function imm_interrupt() accesses the already
freed imm_struct memory.
The race condition can occur as follows:
CPU 0(detach thread) | CPU 1
| imm_queuecommand()
| imm_queuecommand_lck()
imm_detach() | schedule_delayed_work()
kfree(dev) //FREE | imm_interrupt()
| dev = container_of(...) //USE
dev-> //USE
Add disable_delayed_work_sync() in imm_detach() to guarantee proper
cancellation of the delayed work item before imm_struct is deallocated.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/imm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31ab2aad7a7b7501e904a09bf361e44671f66092",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48dd41fa2d6c6a0c50e714deeba06ffe7f91961b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e434426cc23ad5e2aad649327b59aea00294b13",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/imm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: imm: Fix use-after-free bug caused by unfinished delayed work\n\nThe delayed work item \u0027imm_tq\u0027 is initialized in imm_attach() and\nscheduled via imm_queuecommand() for processing SCSI commands. When the\nIMM parallel port SCSI host adapter is detached through imm_detach(),\nthe imm_struct device instance is deallocated.\n\nHowever, the delayed work might still be pending or executing\nwhen imm_detach() is called, leading to use-after-free bugs\nwhen the work function imm_interrupt() accesses the already\nfreed imm_struct memory.\n\nThe race condition can occur as follows:\n\nCPU 0(detach thread) | CPU 1\n | imm_queuecommand()\n | imm_queuecommand_lck()\nimm_detach() | schedule_delayed_work()\n kfree(dev) //FREE | imm_interrupt()\n | dev = container_of(...) //USE\n dev-\u003e //USE\n\nAdd disable_delayed_work_sync() in imm_detach() to guarantee proper\ncancellation of the delayed work item before imm_struct is deallocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:02:49.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31ab2aad7a7b7501e904a09bf361e44671f66092"
},
{
"url": "https://git.kernel.org/stable/c/48dd41fa2d6c6a0c50e714deeba06ffe7f91961b"
},
{
"url": "https://git.kernel.org/stable/c/9e434426cc23ad5e2aad649327b59aea00294b13"
},
{
"url": "https://git.kernel.org/stable/c/ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c"
}
],
"title": "scsi: imm: Fix use-after-free bug caused by unfinished delayed work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68324",
"datePublished": "2025-12-18T15:02:49.230Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-18T15:02:49.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68323 (GCVE-0-2025-68323)
Vulnerability from cvelistv5
Published
2025-12-18 15:02
Modified
2025-12-18 15:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: fix use-after-free caused by uec->work
The delayed work uec->work is scheduled in gaokun_ucsi_probe()
but never properly canceled in gaokun_ucsi_remove(). This creates
use-after-free scenarios where the ucsi and gaokun_ucsi structure
are freed after ucsi_destroy() completes execution, while the
gaokun_ucsi_register_worker() might be either currently executing
or still pending in the work queue. The already-freed gaokun_ucsi
or ucsi structure may then be accessed.
Furthermore, the race window is 3 seconds, which is sufficiently
long to make this bug easily reproducible. The following is the
trace captured by KASAN:
==================================================================
BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630
Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0
...
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0x78/0x90
print_report+0x114/0x580
kasan_report+0xa4/0xf0
__asan_report_store8_noabort+0x20/0x2c
__run_timers+0x5ec/0x630
run_timer_softirq+0xe8/0x1cc
handle_softirqs+0x294/0x720
__do_softirq+0x14/0x20
____do_softirq+0x10/0x1c
call_on_irq_stack+0x30/0x48
do_softirq_own_stack+0x1c/0x28
__irq_exit_rcu+0x27c/0x364
irq_exit_rcu+0x10/0x1c
el1_interrupt+0x40/0x60
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x6c/0x70
arch_local_irq_enable+0x4/0x8 (P)
do_idle+0x334/0x458
cpu_startup_entry+0x60/0x70
rest_init+0x158/0x174
start_kernel+0x2f8/0x394
__primary_switched+0x8c/0x94
Allocated by task 72 on cpu 0 at 27.510341s:
kasan_save_stack+0x2c/0x54
kasan_save_track+0x24/0x5c
kasan_save_alloc_info+0x40/0x54
__kasan_kmalloc+0xa0/0xb8
__kmalloc_node_track_caller_noprof+0x1c0/0x588
devm_kmalloc+0x7c/0x1c8
gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8
really_probe+0x17c/0x5b8
__driver_probe_device+0x158/0x2c4
driver_probe_device+0x10c/0x264
__device_attach_driver+0x168/0x2d0
bus_for_each_drv+0x100/0x188
__device_attach+0x174/0x368
device_initial_probe+0x14/0x20
bus_probe_device+0x120/0x150
device_add+0xb3c/0x10fc
__auxiliary_device_add+0x88/0x130
...
Freed by task 73 on cpu 1 at 28.910627s:
kasan_save_stack+0x2c/0x54
kasan_save_track+0x24/0x5c
__kasan_save_free_info+0x4c/0x74
__kasan_slab_free+0x60/0x8c
kfree+0xd4/0x410
devres_release_all+0x140/0x1f0
device_unbind_cleanup+0x20/0x190
device_release_driver_internal+0x344/0x460
device_release_driver+0x18/0x24
bus_remove_device+0x198/0x274
device_del+0x310/0xa84
...
The buggy address belongs to the object at ffff00000ec28c00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 200 bytes inside of
freed 512-byte region
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)
page_type: f5(slab)
raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
================================================================
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8ac85c76a4279979b917d4b2f9c6b07d9783003",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
},
{
"lessThan": "a880ef71a1c8da266b88491213c37893e2126489",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
},
{
"lessThan": "2b7a0f47aaf2439d517ba0a6b29c66a535302154",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: fix use-after-free caused by uec-\u003ework\n\nThe delayed work uec-\u003ework is scheduled in gaokun_ucsi_probe()\nbut never properly canceled in gaokun_ucsi_remove(). This creates\nuse-after-free scenarios where the ucsi and gaokun_ucsi structure\nare freed after ucsi_destroy() completes execution, while the\ngaokun_ucsi_register_worker() might be either currently executing\nor still pending in the work queue. The already-freed gaokun_ucsi\nor ucsi structure may then be accessed.\n\nFurthermore, the race window is 3 seconds, which is sufficiently\nlong to make this bug easily reproducible. The following is the\ntrace captured by KASAN:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630\nWrite of size 8 at addr ffff00000ec28cc8 by task swapper/0/0\n...\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x78/0x90\n print_report+0x114/0x580\n kasan_report+0xa4/0xf0\n __asan_report_store8_noabort+0x20/0x2c\n __run_timers+0x5ec/0x630\n run_timer_softirq+0xe8/0x1cc\n handle_softirqs+0x294/0x720\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x30/0x48\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x27c/0x364\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x40/0x60\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n arch_local_irq_enable+0x4/0x8 (P)\n do_idle+0x334/0x458\n cpu_startup_entry+0x60/0x70\n rest_init+0x158/0x174\n start_kernel+0x2f8/0x394\n __primary_switched+0x8c/0x94\n\nAllocated by task 72 on cpu 0 at 27.510341s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n kasan_save_alloc_info+0x40/0x54\n __kasan_kmalloc+0xa0/0xb8\n __kmalloc_node_track_caller_noprof+0x1c0/0x588\n devm_kmalloc+0x7c/0x1c8\n gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8\n really_probe+0x17c/0x5b8\n __driver_probe_device+0x158/0x2c4\n driver_probe_device+0x10c/0x264\n __device_attach_driver+0x168/0x2d0\n bus_for_each_drv+0x100/0x188\n __device_attach+0x174/0x368\n device_initial_probe+0x14/0x20\n bus_probe_device+0x120/0x150\n device_add+0xb3c/0x10fc\n __auxiliary_device_add+0x88/0x130\n...\n\nFreed by task 73 on cpu 1 at 28.910627s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n __kasan_save_free_info+0x4c/0x74\n __kasan_slab_free+0x60/0x8c\n kfree+0xd4/0x410\n devres_release_all+0x140/0x1f0\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x344/0x460\n device_release_driver+0x18/0x24\n bus_remove_device+0x198/0x274\n device_del+0x310/0xa84\n...\n\nThe buggy address belongs to the object at ffff00000ec28c00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 200 bytes inside of\n freed 512-byte region\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28\nhead: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)\npage_type: f5(slab)\nraw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nhead: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n================================================================\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:02:48.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003"
},
{
"url": "https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489"
},
{
"url": "https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154"
}
],
"title": "usb: typec: ucsi: fix use-after-free caused by uec-\u003ework",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68323",
"datePublished": "2025-12-18T15:02:48.403Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-18T15:02:48.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68322 (GCVE-0-2025-68322)
Vulnerability from cvelistv5
Published
2025-12-16 15:44
Modified
2025-12-16 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Avoid crash due to unaligned access in unwinder
Guenter Roeck reported this kernel crash on his emulated B160L machine:
Starting network: udhcpc: started, v1.36.1
Backtrace:
[<104320d4>] unwind_once+0x1c/0x5c
[<10434a00>] walk_stackframe.isra.0+0x74/0xb8
[<10434a6c>] arch_stack_walk+0x28/0x38
[<104e5efc>] stack_trace_save+0x48/0x5c
[<105d1bdc>] set_track_prepare+0x44/0x6c
[<105d9c80>] ___slab_alloc+0xfc4/0x1024
[<105d9d38>] __slab_alloc.isra.0+0x58/0x90
[<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0
[<105b8e54>] __anon_vma_prepare+0x60/0x280
[<105a823c>] __vmf_anon_prepare+0x68/0x94
[<105a8b34>] do_wp_page+0x8cc/0xf10
[<105aad88>] handle_mm_fault+0x6c0/0xf08
[<10425568>] do_page_fault+0x110/0x440
[<10427938>] handle_interruption+0x184/0x748
[<11178398>] schedule+0x4c/0x190
BUG: spinlock recursion on CPU#0, ifconfig/2420
lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0
While creating the stack trace, the unwinder uses the stack pointer to guess
the previous frame to read the previous stack pointer from memory. The crash
happens, because the unwinder tries to read from unaligned memory and as such
triggers the unalignment trap handler which then leads to the spinlock
recursion and finally to a deadlock.
Fix it by checking the alignment before accessing the memory.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/parisc/kernel/unwind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ac1f44723f26881b9fe7e69c7bc25397b879155",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "009270208f76456c2cefcd565da263b90bb2eadb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd9f30d1038ee1624baa17a6ff11effe5f7617cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/parisc/kernel/unwind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Avoid crash due to unaligned access in unwinder\n\nGuenter Roeck reported this kernel crash on his emulated B160L machine:\n\nStarting network: udhcpc: started, v1.36.1\n Backtrace:\n [\u003c104320d4\u003e] unwind_once+0x1c/0x5c\n [\u003c10434a00\u003e] walk_stackframe.isra.0+0x74/0xb8\n [\u003c10434a6c\u003e] arch_stack_walk+0x28/0x38\n [\u003c104e5efc\u003e] stack_trace_save+0x48/0x5c\n [\u003c105d1bdc\u003e] set_track_prepare+0x44/0x6c\n [\u003c105d9c80\u003e] ___slab_alloc+0xfc4/0x1024\n [\u003c105d9d38\u003e] __slab_alloc.isra.0+0x58/0x90\n [\u003c105dc80c\u003e] kmem_cache_alloc_noprof+0x2ac/0x4a0\n [\u003c105b8e54\u003e] __anon_vma_prepare+0x60/0x280\n [\u003c105a823c\u003e] __vmf_anon_prepare+0x68/0x94\n [\u003c105a8b34\u003e] do_wp_page+0x8cc/0xf10\n [\u003c105aad88\u003e] handle_mm_fault+0x6c0/0xf08\n [\u003c10425568\u003e] do_page_fault+0x110/0x440\n [\u003c10427938\u003e] handle_interruption+0x184/0x748\n [\u003c11178398\u003e] schedule+0x4c/0x190\n BUG: spinlock recursion on CPU#0, ifconfig/2420\n lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0\n\nWhile creating the stack trace, the unwinder uses the stack pointer to guess\nthe previous frame to read the previous stack pointer from memory. The crash\nhappens, because the unwinder tries to read from unaligned memory and as such\ntriggers the unalignment trap handler which then leads to the spinlock\nrecursion and finally to a deadlock.\n\nFix it by checking the alignment before accessing the memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:44:19.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ac1f44723f26881b9fe7e69c7bc25397b879155"
},
{
"url": "https://git.kernel.org/stable/c/009270208f76456c2cefcd565da263b90bb2eadb"
},
{
"url": "https://git.kernel.org/stable/c/fd9f30d1038ee1624baa17a6ff11effe5f7617cb"
}
],
"title": "parisc: Avoid crash due to unaligned access in unwinder",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68322",
"datePublished": "2025-12-16T15:44:19.850Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-16T15:44:19.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68321 (GCVE-0-2025-68321)
Vulnerability from cvelistv5
Published
2025-12-16 15:44
Modified
2025-12-16 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: always add GFP_NOWARN for ATOMIC allocations
Driver authors often forget to add GFP_NOWARN for page allocation
from the datapath. This is annoying to users as OOMs are a fact
of life, and we pretty much expect network Rx to hit page allocation
failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations
by default.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ec2cd5c58793d0c622797cd5fbe26634b357210",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9835a0fd59a1df5ec0740fdab6d50db68e0f10de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7613c06ffa89c1e2266fb532e23ef7dfdf269d73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3671a0775952026228ae44e096eb144bca75f8dc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab48dc0e23eb714b3f233f8e8f6deed7df2051f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3b52167a0cb23b27414452fbc1278da2ee884fc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: always add GFP_NOWARN for ATOMIC allocations\n\nDriver authors often forget to add GFP_NOWARN for page allocation\nfrom the datapath. This is annoying to users as OOMs are a fact\nof life, and we pretty much expect network Rx to hit page allocation\nfailures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations\nby default."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:44:19.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ec2cd5c58793d0c622797cd5fbe26634b357210"
},
{
"url": "https://git.kernel.org/stable/c/9835a0fd59a1df5ec0740fdab6d50db68e0f10de"
},
{
"url": "https://git.kernel.org/stable/c/7613c06ffa89c1e2266fb532e23ef7dfdf269d73"
},
{
"url": "https://git.kernel.org/stable/c/3671a0775952026228ae44e096eb144bca75f8dc"
},
{
"url": "https://git.kernel.org/stable/c/ab48dc0e23eb714b3f233f8e8f6deed7df2051f5"
},
{
"url": "https://git.kernel.org/stable/c/f3b52167a0cb23b27414452fbc1278da2ee884fc"
}
],
"title": "page_pool: always add GFP_NOWARN for ATOMIC allocations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68321",
"datePublished": "2025-12-16T15:44:19.066Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:44:19.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68320 (GCVE-0-2025-68320)
Vulnerability from cvelistv5
Published
2025-12-16 15:44
Modified
2025-12-16 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
lan966x: Fix sleeping in atomic context
The following warning was seen when we try to connect using ssh to the device.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear
preempt_count: 1, expected: 0
INFO: lockdep is turned off.
CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE
Tainted: [W]=WARN
Hardware name: Generic DT based system
Call trace:
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x7c/0xac
dump_stack_lvl from __might_resched+0x16c/0x2b0
__might_resched from __mutex_lock+0x64/0xd34
__mutex_lock from mutex_lock_nested+0x1c/0x24
mutex_lock_nested from lan966x_stats_get+0x5c/0x558
lan966x_stats_get from dev_get_stats+0x40/0x43c
dev_get_stats from dev_seq_printf_stats+0x3c/0x184
dev_seq_printf_stats from dev_seq_show+0x10/0x30
dev_seq_show from seq_read_iter+0x350/0x4ec
seq_read_iter from seq_read+0xfc/0x194
seq_read from proc_reg_read+0xac/0x100
proc_reg_read from vfs_read+0xb0/0x2b0
vfs_read from ksys_read+0x6c/0xec
ksys_read from ret_fast_syscall+0x0/0x1c
Exception stack(0xf0b11fa8 to 0xf0b11ff0)
1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001
1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001
1fe0: 0005404c be9048c0 00018684 b6ec2cd8
It seems that we are using a mutex in a atomic context which is wrong.
Change the mutex with a spinlock.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.h",
"drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a5d2f7727752b64d13263eacd9f8d08a322e662",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "3ac743c60ec502163c435712d527eeced8d83348",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "0216721ce71252f60d89af49c8dff613358058d3",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.h",
"drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix sleeping in atomic context\n\nThe following warning was seen when we try to connect using ssh to the device.\n\nBUG: sleeping function called from invalid context at kernel/locking/mutex.c:575\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear\npreempt_count: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE\nTainted: [W]=WARN\nHardware name: Generic DT based system\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x7c/0xac\n dump_stack_lvl from __might_resched+0x16c/0x2b0\n __might_resched from __mutex_lock+0x64/0xd34\n __mutex_lock from mutex_lock_nested+0x1c/0x24\n mutex_lock_nested from lan966x_stats_get+0x5c/0x558\n lan966x_stats_get from dev_get_stats+0x40/0x43c\n dev_get_stats from dev_seq_printf_stats+0x3c/0x184\n dev_seq_printf_stats from dev_seq_show+0x10/0x30\n dev_seq_show from seq_read_iter+0x350/0x4ec\n seq_read_iter from seq_read+0xfc/0x194\n seq_read from proc_reg_read+0xac/0x100\n proc_reg_read from vfs_read+0xb0/0x2b0\n vfs_read from ksys_read+0x6c/0xec\n ksys_read from ret_fast_syscall+0x0/0x1c\nException stack(0xf0b11fa8 to 0xf0b11ff0)\n1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001\n1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001\n1fe0: 0005404c be9048c0 00018684 b6ec2cd8\n\nIt seems that we are using a mutex in a atomic context which is wrong.\nChange the mutex with a spinlock."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:44:18.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a5d2f7727752b64d13263eacd9f8d08a322e662"
},
{
"url": "https://git.kernel.org/stable/c/c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d"
},
{
"url": "https://git.kernel.org/stable/c/3ac743c60ec502163c435712d527eeced8d83348"
},
{
"url": "https://git.kernel.org/stable/c/0216721ce71252f60d89af49c8dff613358058d3"
}
],
"title": "lan966x: Fix sleeping in atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68320",
"datePublished": "2025-12-16T15:44:18.217Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:44:18.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68319 (GCVE-0-2025-68319)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netconsole: Acquire su_mutex before navigating configs hierarchy
There is a race between operations that iterate over the userdata
cg_children list and concurrent add/remove of userdata items through
configfs. The update_userdata() function iterates over the
nt->userdata_group.cg_children list, and count_extradata_entries() also
iterates over this same list to count nodes.
Quoting from Documentation/filesystems/configfs.rst:
> A subsystem can navigate the cg_children list and the ci_parent pointer
> to see the tree created by the subsystem. This can race with configfs'
> management of the hierarchy, so configfs uses the subsystem mutex to
> protect modifications. Whenever a subsystem wants to navigate the
> hierarchy, it must do so under the protection of the subsystem
> mutex.
Without proper locking, if a userdata item is added or removed
concurrently while these functions are iterating, the list can be
accessed in an inconsistent state. For example, the list_for_each() loop
can reach a node that is being removed from the list by list_del_init()
which sets the nodes' .next pointer to point to itself, so the loop will
never end (or reach the WARN_ON_ONCE in update_userdata() ).
Fix this by holding the configfs subsystem mutex (su_mutex) during all
operations that iterate over cg_children.
This includes:
- userdatum_value_store() which calls update_userdata() to iterate over
cg_children
- All sysdata_*_enabled_store() functions which call
count_extradata_entries() to iterate over cg_children
The su_mutex must be acquired before dynamic_netconsole_mutex to avoid
potential lock ordering issues, as configfs operations may already hold
su_mutex when calling into our code.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/netconsole.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff70aa7e8cf05745fdba7258952a8bedf33ea336",
"status": "affected",
"version": "df03f830d099f0811281a222aefdd9d400fa0b72",
"versionType": "git"
},
{
"lessThan": "d7d2fcf7ae31471b4e08b7e448b8fd0ec2e06a1b",
"status": "affected",
"version": "df03f830d099f0811281a222aefdd9d400fa0b72",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/netconsole.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetconsole: Acquire su_mutex before navigating configs hierarchy\n\nThere is a race between operations that iterate over the userdata\ncg_children list and concurrent add/remove of userdata items through\nconfigfs. The update_userdata() function iterates over the\nnt-\u003euserdata_group.cg_children list, and count_extradata_entries() also\niterates over this same list to count nodes.\n\nQuoting from Documentation/filesystems/configfs.rst:\n\u003e A subsystem can navigate the cg_children list and the ci_parent pointer\n\u003e to see the tree created by the subsystem. This can race with configfs\u0027\n\u003e management of the hierarchy, so configfs uses the subsystem mutex to\n\u003e protect modifications. Whenever a subsystem wants to navigate the\n\u003e hierarchy, it must do so under the protection of the subsystem\n\u003e mutex.\n\nWithout proper locking, if a userdata item is added or removed\nconcurrently while these functions are iterating, the list can be\naccessed in an inconsistent state. For example, the list_for_each() loop\ncan reach a node that is being removed from the list by list_del_init()\nwhich sets the nodes\u0027 .next pointer to point to itself, so the loop will\nnever end (or reach the WARN_ON_ONCE in update_userdata() ).\n\nFix this by holding the configfs subsystem mutex (su_mutex) during all\noperations that iterate over cg_children.\nThis includes:\n- userdatum_value_store() which calls update_userdata() to iterate over\n cg_children\n- All sysdata_*_enabled_store() functions which call\n count_extradata_entries() to iterate over cg_children\n\nThe su_mutex must be acquired before dynamic_netconsole_mutex to avoid\npotential lock ordering issues, as configfs operations may already hold\nsu_mutex when calling into our code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:48.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff70aa7e8cf05745fdba7258952a8bedf33ea336"
},
{
"url": "https://git.kernel.org/stable/c/d7d2fcf7ae31471b4e08b7e448b8fd0ec2e06a1b"
}
],
"title": "netconsole: Acquire su_mutex before navigating configs hierarchy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68319",
"datePublished": "2025-12-16T15:39:48.903Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:48.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68318 (GCVE-0-2025-68318)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL
The AXI crossbar of TH1520 has no proper timeout handling, which means
gating AXI clocks can easily lead to bus timeout and thus system hang.
Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are
ungated by default on system reset.
In addition, convert all current CLK_IGNORE_UNUSED usage to
CLK_IS_CRITICAL to prevent unwanted clock gating.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/thead/clk-th1520-ap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdec5e01fc2f3114d1fb1daeb1000911d783c4ae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c567bc5fc68c4388c00e11fc65fd14fe86b52070",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/thead/clk-th1520-ap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL\n\nThe AXI crossbar of TH1520 has no proper timeout handling, which means\ngating AXI clocks can easily lead to bus timeout and thus system hang.\n\nSet all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are\nungated by default on system reset.\n\nIn addition, convert all current CLK_IGNORE_UNUSED usage to\nCLK_IS_CRITICAL to prevent unwanted clock gating."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:47.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdec5e01fc2f3114d1fb1daeb1000911d783c4ae"
},
{
"url": "https://git.kernel.org/stable/c/c567bc5fc68c4388c00e11fc65fd14fe86b52070"
}
],
"title": "clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68318",
"datePublished": "2025-12-16T15:39:47.965Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:47.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68317 (GCVE-0-2025-68317)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/zctx: check chained notif contexts
Send zc only links ubuf_info for requests coming from the same context.
There are some ambiguous syz reports, so let's check the assumption on
notification completion.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/notif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aaafd17d3f4be2c15539359a5b4bfa00237f687f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d664a3ce3a604231a0b144c152a3755d03b18b60",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab3ea6eac5f45669b091309f592c4ea324003053",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/notif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zctx: check chained notif contexts\n\nSend zc only links ubuf_info for requests coming from the same context.\nThere are some ambiguous syz reports, so let\u0027s check the assumption on\nnotification completion."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:47.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aaafd17d3f4be2c15539359a5b4bfa00237f687f"
},
{
"url": "https://git.kernel.org/stable/c/d664a3ce3a604231a0b144c152a3755d03b18b60"
},
{
"url": "https://git.kernel.org/stable/c/ab3ea6eac5f45669b091309f592c4ea324003053"
}
],
"title": "io_uring/zctx: check chained notif contexts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68317",
"datePublished": "2025-12-16T15:39:47.159Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:47.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68316 (GCVE-0-2025-68316)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix invalid probe error return value
After DME Link Startup, the error return value is set to the MIPI UniPro
GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure
during driver probe, the error code 1 is propagated back to the driver
probe function which must return a negative value to indicate an error,
but 1 is not negative, so the probe is considered to be successful even
though it failed. Subsequently, removing the driver results in an oops
because it is not in a valid state.
This happens because none of the callers of ufshcd_init() expect a
non-negative error code.
Fix the return value and documentation to match actual usage.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df96dbe1af7f6591c09f862f1226d3619b07e1b6",
"status": "affected",
"version": "69f5eb78d4b0cc978fe83dd2bfea1b67547290bf",
"versionType": "git"
},
{
"lessThan": "a2b32bc1d9e359a9f90d0de6af16699facb10935",
"status": "affected",
"version": "69f5eb78d4b0cc978fe83dd2bfea1b67547290bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix invalid probe error return value\n\nAfter DME Link Startup, the error return value is set to the MIPI UniPro\nGenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure\nduring driver probe, the error code 1 is propagated back to the driver\nprobe function which must return a negative value to indicate an error,\nbut 1 is not negative, so the probe is considered to be successful even\nthough it failed. Subsequently, removing the driver results in an oops\nbecause it is not in a valid state.\n\nThis happens because none of the callers of ufshcd_init() expect a\nnon-negative error code.\n\nFix the return value and documentation to match actual usage."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:46.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df96dbe1af7f6591c09f862f1226d3619b07e1b6"
},
{
"url": "https://git.kernel.org/stable/c/a2b32bc1d9e359a9f90d0de6af16699facb10935"
}
],
"title": "scsi: ufs: core: Fix invalid probe error return value",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68316",
"datePublished": "2025-12-16T15:39:46.434Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:46.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68315 (GCVE-0-2025-68315)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-20 08:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to detect potential corrupted nid in free_nid_list
As reported, on-disk footer.ino and footer.nid is the same and
out-of-range, let's add sanity check on f2fs_alloc_nid() to detect
any potential corruption in free_nid_list.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "adbcb34f03abb89e681a5907c4c3ce4bf224991d",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "8fc6056dcf79937c46c97fa4996cda65956437a9",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to detect potential corrupted nid in free_nid_list\n\nAs reported, on-disk footer.ino and footer.nid is the same and\nout-of-range, let\u0027s add sanity check on f2fs_alloc_nid() to detect\nany potential corruption in free_nid_list."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:21.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa"
},
{
"url": "https://git.kernel.org/stable/c/adbcb34f03abb89e681a5907c4c3ce4bf224991d"
},
{
"url": "https://git.kernel.org/stable/c/8fc6056dcf79937c46c97fa4996cda65956437a9"
}
],
"title": "f2fs: fix to detect potential corrupted nid in free_nid_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68315",
"datePublished": "2025-12-16T15:39:45.716Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-20T08:52:21.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68314 (GCVE-0-2025-68314)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: make sure last_fence is always updated
Update last_fence in the vm-bind path instead of kernel managed path.
last_fence is used to wait for work to finish in vm_bind contexts but not
used for kernel managed contexts.
This fixes a bug where last_fence is not waited on context close leading
to faults as resources are freed while in use.
Patchwork: https://patchwork.freedesktop.org/patch/680080/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_gem_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ee817ceafba266d9c6f3a09babd2ac7441d9a2b",
"status": "affected",
"version": "92395af63a9958615edfa9d4ef1ea72c92a00410",
"versionType": "git"
},
{
"lessThan": "86404a9e3013d814a772ac407573be5d3cd4ee0d",
"status": "affected",
"version": "92395af63a9958615edfa9d4ef1ea72c92a00410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_gem_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: make sure last_fence is always updated\n\nUpdate last_fence in the vm-bind path instead of kernel managed path.\n\nlast_fence is used to wait for work to finish in vm_bind contexts but not\nused for kernel managed contexts.\n\nThis fixes a bug where last_fence is not waited on context close leading\nto faults as resources are freed while in use.\n\nPatchwork: https://patchwork.freedesktop.org/patch/680080/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:44.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ee817ceafba266d9c6f3a09babd2ac7441d9a2b"
},
{
"url": "https://git.kernel.org/stable/c/86404a9e3013d814a772ac407573be5d3cd4ee0d"
}
],
"title": "drm/msm: make sure last_fence is always updated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68314",
"datePublished": "2025-12-16T15:39:44.791Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:44.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68313 (GCVE-0-2025-68313)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU/AMD: Add RDSEED fix for Zen5
There's an issue with RDSEED's 16-bit and 32-bit register output
variants on Zen5 which return a random value of 0 "at a rate inconsistent
with randomness while incorrectly signaling success (CF=1)". Search the
web for AMD-SB-7055 for more detail.
Add a fix glue which checks microcode revisions.
[ bp: Add microcode revisions checking, rewrite. ]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e980de2ff109dacb6d9d3a77f01b27c467115ecb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "36ff93e66d0efc46e39fab536a9feec968daa766",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "607b9fb2ce248cc5b633c5949e0153838992c152",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Add RDSEED fix for Zen5\n\nThere\u0027s an issue with RDSEED\u0027s 16-bit and 32-bit register output\nvariants on Zen5 which return a random value of 0 \"at a rate inconsistent\nwith randomness while incorrectly signaling success (CF=1)\". Search the\nweb for AMD-SB-7055 for more detail.\n\nAdd a fix glue which checks microcode revisions.\n\n [ bp: Add microcode revisions checking, rewrite. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:43.972Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e980de2ff109dacb6d9d3a77f01b27c467115ecb"
},
{
"url": "https://git.kernel.org/stable/c/36ff93e66d0efc46e39fab536a9feec968daa766"
},
{
"url": "https://git.kernel.org/stable/c/607b9fb2ce248cc5b633c5949e0153838992c152"
}
],
"title": "x86/CPU/AMD: Add RDSEED fix for Zen5",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68313",
"datePublished": "2025-12-16T15:39:43.972Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:43.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68312 (GCVE-0-2025-68312)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Prevents free active kevent
The root cause of this issue are:
1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
put the kevent work in global workqueue. However, the kevent has not yet
been scheduled when the usbnet device is unregistered. Therefore, executing
free_netdev() results in the "free active object (kevent)" error reported
here.
2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
However, because the device is not up, ndo_stop() is not executed.
The solution to this problem is to cancel the kevent before executing
free_netdev().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8b4588b8b00b299be16a35be67b331d8fdba03f3 Version: 135199a2edd459d2b123144efcd7f9bcd95128e4 Version: 635fd8953e4309b54ca6a81bed1d4a87668694f4 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: a69e617e533edddf3fa3123149900f36e0a6dc74 Version: d2d6b530d89b0a912148018027386aa049f0a309 Version: e2a521a7dcc463c5017b4426ca0804e151faeff7 Version: 7f77dcbc030c2faa6d8e8a594985eeb34018409e Version: d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f Version: db3b738ae5f726204876f4303c49cfdf4311403f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "285d4b953f2ca03c358f986718dd89ee9bde632e",
"status": "affected",
"version": "8b4588b8b00b299be16a35be67b331d8fdba03f3",
"versionType": "git"
},
{
"lessThan": "88a38b135d69f5db9024ff6527232f1b51be8915",
"status": "affected",
"version": "135199a2edd459d2b123144efcd7f9bcd95128e4",
"versionType": "git"
},
{
"lessThan": "43005002b60ef3424719ecda16d124714b45da3b",
"status": "affected",
"version": "635fd8953e4309b54ca6a81bed1d4a87668694f4",
"versionType": "git"
},
{
"lessThan": "3a10619fdefd3051aeb14860e4d4335529b4e94d",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "9a579d6a39513069d298eee70770bbac8a148565",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "2ce1de32e05445d77fc056f6ff8339cfb78a5f84",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "5158fb8da162e3982940f30cd01ed77bdf42c6fc",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "420c84c330d1688b8c764479e5738bbdbf0a33de",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"status": "affected",
"version": "d2d6b530d89b0a912148018027386aa049f0a309",
"versionType": "git"
},
{
"status": "affected",
"version": "e2a521a7dcc463c5017b4426ca0804e151faeff7",
"versionType": "git"
},
{
"status": "affected",
"version": "7f77dcbc030c2faa6d8e8a594985eeb34018409e",
"versionType": "git"
},
{
"status": "affected",
"version": "d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f",
"versionType": "git"
},
{
"status": "affected",
"version": "db3b738ae5f726204876f4303c49cfdf4311403f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Prevents free active kevent\n\nThe root cause of this issue are:\n1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);\nput the kevent work in global workqueue. However, the kevent has not yet\nbeen scheduled when the usbnet device is unregistered. Therefore, executing\nfree_netdev() results in the \"free active object (kevent)\" error reported\nhere.\n\n2. Another factor is that when calling usbnet_disconnect()-\u003eunregister_netdev(),\nif the usbnet device is up, ndo_stop() is executed to cancel the kevent.\nHowever, because the device is not up, ndo_stop() is not executed.\n\nThe solution to this problem is to cancel the kevent before executing\nfree_netdev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:43.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632e"
},
{
"url": "https://git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915"
},
{
"url": "https://git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3b"
},
{
"url": "https://git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94d"
},
{
"url": "https://git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565"
},
{
"url": "https://git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84"
},
{
"url": "https://git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fc"
},
{
"url": "https://git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33de"
}
],
"title": "usbnet: Prevents free active kevent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68312",
"datePublished": "2025-12-16T15:39:43.174Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:43.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68311 (GCVE-0-2025-68311)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: ip22zilog: Use platform device for probing
After commit 84a9582fd203 ("serial: core: Start managing serial controllers
to enable runtime PM") serial drivers need to provide a device in
struct uart_port.dev otherwise an oops happens. To fix this issue
for ip22zilog driver switch driver to a platform driver and setup
the serial device in sgi-ip22 code.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/mips/sgi-ip22/ip22-platform.c",
"drivers/tty/serial/ip22zilog.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "460e0dc9af2d7790d5194c6743d79f9b77b58836",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/mips/sgi-ip22/ip22-platform.c",
"drivers/tty/serial/ip22zilog.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: ip22zilog: Use platform device for probing\n\nAfter commit 84a9582fd203 (\"serial: core: Start managing serial controllers\nto enable runtime PM\") serial drivers need to provide a device in\nstruct uart_port.dev otherwise an oops happens. To fix this issue\nfor ip22zilog driver switch driver to a platform driver and setup\nthe serial device in sgi-ip22 code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:42.445Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/460e0dc9af2d7790d5194c6743d79f9b77b58836"
},
{
"url": "https://git.kernel.org/stable/c/77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e"
},
{
"url": "https://git.kernel.org/stable/c/3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7"
}
],
"title": "tty: serial: ip22zilog: Use platform device for probing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68311",
"datePublished": "2025-12-16T15:39:42.445Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:42.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68310 (GCVE-0-2025-68310)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump
Do not block PCI config accesses through pci_cfg_access_lock() when
executing the s390 variant of PCI error recovery: Acquire just
device_lock() instead of pci_dev_lock() as powerpc's EEH and
generig PCI AER processing do.
During error recovery testing a pair of tasks was reported to be hung:
mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working
INFO: task kmcheck:72 blocked for more than 122 seconds.
Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000
Call Trace:
[<000000065256f030>] __schedule+0x2a0/0x590
[<000000065256f356>] schedule+0x36/0xe0
[<000000065256f572>] schedule_preempt_disabled+0x22/0x30
[<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8
[<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core]
[<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core]
[<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398
[<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0
INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds.
Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000
Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]
Call Trace:
[<000000065256f030>] __schedule+0x2a0/0x590
[<000000065256f356>] schedule+0x36/0xe0
[<0000000652172e28>] pci_wait_cfg+0x80/0xe8
[<0000000652172f94>] pci_cfg_access_lock+0x74/0x88
[<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core]
[<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core]
[<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core]
[<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168
[<0000000652513212>] devlink_health_report+0x19a/0x230
[<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core]
No kernel log of the exact same error with an upstream kernel is
available - but the very same deadlock situation can be constructed there,
too:
- task: kmcheck
mlx5_unload_one() tries to acquire devlink lock while the PCI error
recovery code has set pdev->block_cfg_access by way of
pci_cfg_access_lock()
- task: kworker
mlx5_crdump_collect() tries to set block_cfg_access through
pci_cfg_access_lock() while devlink_health_report() had acquired
the devlink lock.
A similar deadlock situation can be reproduced by requesting a
crdump with
> devlink health dump show pci/<BDF> reporter fw_fatal
while PCI error recovery is executed on the same <BDF> physical function
by mlx5_core's pci_error_handlers. On s390 this can be injected with
> zpcictl --reset-fw <BDF>
Tests with this patch failed to reproduce that second deadlock situation,
the devlink command is rejected with "kernel answers: Permission denied" -
and we get a kernel log message of:
mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5
because the config read of VSC_SEMAPHORE is rejected by the underlying
hardware.
Two prior attempts to address this issue have been discussed and
ultimately rejected [see link], with the primary argument that s390's
implementation of PCI error recovery is imposing restrictions that
neither powerpc's EEH nor PCI AER handling need. Tests show that PCI
error recovery on s390 is running to completion even without blocking
access to PCI config space.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/pci/pci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0df2503bc3c2be385ca2fd96585daad1870c7c5",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
},
{
"lessThan": "b63c061be622b17b495cbf78a6d5f2d4c3147f8e",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
},
{
"lessThan": "3591d56ea9bfd3e7fbbe70f749bdeed689d415f9",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
},
{
"lessThan": "54f938d9f5693af8ed586a08db4af5d9da1f0f2d",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
},
{
"lessThan": "0fd20f65df6aa430454a0deed8f43efa91c54835",
"status": "affected",
"version": "4cdf2f4e24ff0d345fc36ef6d6aec059333a261e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/pci/pci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump\n\nDo not block PCI config accesses through pci_cfg_access_lock() when\nexecuting the s390 variant of PCI error recovery: Acquire just\ndevice_lock() instead of pci_dev_lock() as powerpc\u0027s EEH and\ngenerig PCI AER processing do.\n\nDuring error recovery testing a pair of tasks was reported to be hung:\n\nmlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working\nINFO: task kmcheck:72 blocked for more than 122 seconds.\n Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000\nCall Trace:\n [\u003c000000065256f030\u003e] __schedule+0x2a0/0x590\n [\u003c000000065256f356\u003e] schedule+0x36/0xe0\n [\u003c000000065256f572\u003e] schedule_preempt_disabled+0x22/0x30\n [\u003c0000000652570a94\u003e] __mutex_lock.constprop.0+0x484/0x8a8\n [\u003c000003ff800673a4\u003e] mlx5_unload_one+0x34/0x58 [mlx5_core]\n [\u003c000003ff8006745c\u003e] mlx5_pci_err_detected+0x94/0x140 [mlx5_core]\n [\u003c0000000652556c5a\u003e] zpci_event_attempt_error_recovery+0xf2/0x398\n [\u003c0000000651b9184a\u003e] __zpci_event_error+0x23a/0x2c0\nINFO: task kworker/u1664:6:1514 blocked for more than 122 seconds.\n Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000\nWorkqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]\nCall Trace:\n [\u003c000000065256f030\u003e] __schedule+0x2a0/0x590\n [\u003c000000065256f356\u003e] schedule+0x36/0xe0\n [\u003c0000000652172e28\u003e] pci_wait_cfg+0x80/0xe8\n [\u003c0000000652172f94\u003e] pci_cfg_access_lock+0x74/0x88\n [\u003c000003ff800916b6\u003e] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core]\n [\u003c000003ff80098824\u003e] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core]\n [\u003c000003ff80074b62\u003e] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core]\n [\u003c0000000652512242\u003e] devlink_health_do_dump.part.0+0x82/0x168\n [\u003c0000000652513212\u003e] devlink_health_report+0x19a/0x230\n [\u003c000003ff80075a12\u003e] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core]\n\nNo kernel log of the exact same error with an upstream kernel is\navailable - but the very same deadlock situation can be constructed there,\ntoo:\n\n- task: kmcheck\n mlx5_unload_one() tries to acquire devlink lock while the PCI error\n recovery code has set pdev-\u003eblock_cfg_access by way of\n pci_cfg_access_lock()\n- task: kworker\n mlx5_crdump_collect() tries to set block_cfg_access through\n pci_cfg_access_lock() while devlink_health_report() had acquired\n the devlink lock.\n\nA similar deadlock situation can be reproduced by requesting a\ncrdump with\n \u003e devlink health dump show pci/\u003cBDF\u003e reporter fw_fatal\n\nwhile PCI error recovery is executed on the same \u003cBDF\u003e physical function\nby mlx5_core\u0027s pci_error_handlers. On s390 this can be injected with\n \u003e zpcictl --reset-fw \u003cBDF\u003e\n\nTests with this patch failed to reproduce that second deadlock situation,\nthe devlink command is rejected with \"kernel answers: Permission denied\" -\nand we get a kernel log message of:\n\nmlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5\n\nbecause the config read of VSC_SEMAPHORE is rejected by the underlying\nhardware.\n\nTwo prior attempts to address this issue have been discussed and\nultimately rejected [see link], with the primary argument that s390\u0027s\nimplementation of PCI error recovery is imposing restrictions that\nneither powerpc\u0027s EEH nor PCI AER handling need. Tests show that PCI\nerror recovery on s390 is running to completion even without blocking\naccess to PCI config space."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:41.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0df2503bc3c2be385ca2fd96585daad1870c7c5"
},
{
"url": "https://git.kernel.org/stable/c/b63c061be622b17b495cbf78a6d5f2d4c3147f8e"
},
{
"url": "https://git.kernel.org/stable/c/3591d56ea9bfd3e7fbbe70f749bdeed689d415f9"
},
{
"url": "https://git.kernel.org/stable/c/54f938d9f5693af8ed586a08db4af5d9da1f0f2d"
},
{
"url": "https://git.kernel.org/stable/c/0fd20f65df6aa430454a0deed8f43efa91c54835"
}
],
"title": "s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68310",
"datePublished": "2025-12-16T15:39:41.652Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:41.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68309 (GCVE-0-2025-68309)
Vulnerability from cvelistv5
Published
2025-12-16 15:39
Modified
2025-12-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/AER: Fix NULL pointer access by aer_info
The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx
will result in kernel panic. Fix it.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/pcie/aer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6618243bcc3f60825f761a41ed65fef9fe97eb25",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0a27bdb14b028fed30a10cec2f945c38cb5ca4fa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/pcie/aer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/AER: Fix NULL pointer access by aer_info\n\nThe kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info-\u003exxx\nwill result in kernel panic. Fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:40.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6618243bcc3f60825f761a41ed65fef9fe97eb25"
},
{
"url": "https://git.kernel.org/stable/c/0a27bdb14b028fed30a10cec2f945c38cb5ca4fa"
}
],
"title": "PCI/AER: Fix NULL pointer access by aer_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68309",
"datePublished": "2025-12-16T15:39:40.757Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:40.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68308 (GCVE-0-2025-68308)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`
functions contain logic to zero-length commands. These commands are used
to align data to the USB endpoint's wMaxPacketSize boundary.
The driver attempts to skip these placeholders by aligning the buffer
position `pos` to the next packet boundary using `round_up()` function.
However, if zero-length command is found exactly on a packet boundary
(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`
function will return the unchanged value of `pos`. This prevents `pos`
to be increased, causing an infinite loop in the parsing logic.
This patch fixes this in the function by using `pos + 1` instead.
This ensures that even if `pos` is on a boundary, the calculation is
based on `pos + 1`, forcing `round_up()` to always return the next
aligned boundary.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe Version: 7259124eac7d1b76b41c7a9cb2511a30556deebe |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58343e0a4d43699f0e2f5b169384bbe4c0217add",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "69c7825df64e24dc15d31631a1fc9145324b1345",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "028e89c7e8b4346302e88df01cc50e0a1f05791a",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "e9dd83a75a7274edef21682c823bf0b66d7b6b7f",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "0897cea266e39166a36111059ba147192b36592f",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "bd8135a560cf6e64f0b98ed4daadf126a38f7f48",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "0c73772cd2b8cc108d5f5334de89ad648d89b9ec",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: leaf: Fix potential infinite loop in command parsers\n\nThe `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`\nfunctions contain logic to zero-length commands. These commands are used\nto align data to the USB endpoint\u0027s wMaxPacketSize boundary.\n\nThe driver attempts to skip these placeholders by aligning the buffer\nposition `pos` to the next packet boundary using `round_up()` function.\n\nHowever, if zero-length command is found exactly on a packet boundary\n(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`\nfunction will return the unchanged value of `pos`. This prevents `pos`\nto be increased, causing an infinite loop in the parsing logic.\n\nThis patch fixes this in the function by using `pos + 1` instead.\nThis ensures that even if `pos` is on a boundary, the calculation is\nbased on `pos + 1`, forcing `round_up()` to always return the next\naligned boundary."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:25.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add"
},
{
"url": "https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345"
},
{
"url": "https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a"
},
{
"url": "https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f"
},
{
"url": "https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f"
},
{
"url": "https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48"
},
{
"url": "https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec"
}
],
"title": "can: kvaser_usb: leaf: Fix potential infinite loop in command parsers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68308",
"datePublished": "2025-12-16T15:06:25.081Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:25.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68307 (GCVE-0-2025-68307)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs
The driver lacks the cleanup of failed transfers of URBs. This reduces the
number of available URBs per error by 1. This leads to reduced performance
and ultimately to a complete stop of the transmission.
If the sending of a bulk URB fails do proper cleanup:
- increase netdev stats
- mark the echo_sbk as free
- free the driver's context and do accounting
- wake the send queue
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7a5560675bd85efaf16ab01a43053670ff2b000",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "1a588c40a422a3663a52f1c5535e8fb6b044167d",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "4a82072e451eacf24fc66a445e906f5095d215db",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "9c8eb33b7008178b6ce88aa7593d12063ce60ca3",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "516a0cd1c03fa266bb67dd87940a209fd4e53ce7",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs\n\nThe driver lacks the cleanup of failed transfers of URBs. This reduces the\nnumber of available URBs per error by 1. This leads to reduced performance\nand ultimately to a complete stop of the transmission.\n\nIf the sending of a bulk URB fails do proper cleanup:\n- increase netdev stats\n- mark the echo_sbk as free\n- free the driver\u0027s context and do accounting\n- wake the send queue"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:24.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7a5560675bd85efaf16ab01a43053670ff2b000"
},
{
"url": "https://git.kernel.org/stable/c/1a588c40a422a3663a52f1c5535e8fb6b044167d"
},
{
"url": "https://git.kernel.org/stable/c/4a82072e451eacf24fc66a445e906f5095d215db"
},
{
"url": "https://git.kernel.org/stable/c/9c8eb33b7008178b6ce88aa7593d12063ce60ca3"
},
{
"url": "https://git.kernel.org/stable/c/516a0cd1c03fa266bb67dd87940a209fd4e53ce7"
}
],
"title": "can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68307",
"datePublished": "2025-12-16T15:06:24.271Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:24.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68306 (GCVE-0-2025-68306)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface
When performing reset tests and encountering abnormal card drop issues
that lead to a kernel crash, it is necessary to perform a null check
before releasing resources to avoid attempting to release a null pointer.
<4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)
<4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]
<4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
<4>[ 29.158162] pc : klist_remove+0x90/0x158
<4>[ 29.158174] lr : klist_remove+0x88/0x158
<4>[ 29.158180] sp : ffffffc0846b3c00
<4>[ 29.158185] pmr_save: 000000e0
<4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058
<4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0
<4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290
<4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781
<4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428
<4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018
<4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000
<4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d
<4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e
<4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c
<4>[ 29.158285] Call trace:
<4>[ 29.158290] klist_remove+0x90/0x158
<4>[ 29.158298] device_release_driver_internal+0x20c/0x268
<4>[ 29.158308] device_release_driver+0x1c/0x30
<4>[ 29.158316] usb_driver_release_interface+0x70/0x88
<4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]
<4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]
<4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]
<4>[ 29.158430] process_scheduled_works+0x258/0x4e8
<4>[ 29.158441] worker_thread+0x300/0x428
<4>[ 29.158448] kthread+0x108/0x1d0
<4>[ 29.158455] ret_from_fork+0x10/0x20
<0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)
<4>[ 29.158474] ---[ end trace 0000000000000000 ]---
<0>[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception
<2>[ 29.167144] SMP: stopping secondary CPUs
<4>[ 29.167158] ------------[ cut here ]------------
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c",
"include/net/bluetooth/hci_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "421e88a0d85782786b7a1764c75518b4845e07b3",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
},
{
"lessThan": "faae9f2ea8806f2499186448adbf94689b47b82b",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
},
{
"lessThan": "4015b979767125cf8a2233a145a3b3af78bfd8fb",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c",
"include/net/bluetooth/hci_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface\n\nWhen performing reset tests and encountering abnormal card drop issues\nthat lead to a kernel crash, it is necessary to perform a null check\nbefore releasing resources to avoid attempting to release a null pointer.\n\n\u003c4\u003e[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)\n\u003c4\u003e[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]\n\u003c4\u003e[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\u003c4\u003e[ 29.158162] pc : klist_remove+0x90/0x158\n\u003c4\u003e[ 29.158174] lr : klist_remove+0x88/0x158\n\u003c4\u003e[ 29.158180] sp : ffffffc0846b3c00\n\u003c4\u003e[ 29.158185] pmr_save: 000000e0\n\u003c4\u003e[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058\n\u003c4\u003e[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0\n\u003c4\u003e[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290\n\u003c4\u003e[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781\n\u003c4\u003e[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428\n\u003c4\u003e[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018\n\u003c4\u003e[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000\n\u003c4\u003e[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d\n\u003c4\u003e[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e\n\u003c4\u003e[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c\n\u003c4\u003e[ 29.158285] Call trace:\n\u003c4\u003e[ 29.158290] klist_remove+0x90/0x158\n\u003c4\u003e[ 29.158298] device_release_driver_internal+0x20c/0x268\n\u003c4\u003e[ 29.158308] device_release_driver+0x1c/0x30\n\u003c4\u003e[ 29.158316] usb_driver_release_interface+0x70/0x88\n\u003c4\u003e[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]\n\u003c4\u003e[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]\n\u003c4\u003e[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]\n\u003c4\u003e[ 29.158430] process_scheduled_works+0x258/0x4e8\n\u003c4\u003e[ 29.158441] worker_thread+0x300/0x428\n\u003c4\u003e[ 29.158448] kthread+0x108/0x1d0\n\u003c4\u003e[ 29.158455] ret_from_fork+0x10/0x20\n\u003c0\u003e[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)\n\u003c4\u003e[ 29.158474] ---[ end trace 0000000000000000 ]---\n\u003c0\u003e[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception\n\u003c2\u003e[ 29.167144] SMP: stopping secondary CPUs\n\u003c4\u003e[ 29.167158] ------------[ cut here ]------------"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:23.486Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/421e88a0d85782786b7a1764c75518b4845e07b3"
},
{
"url": "https://git.kernel.org/stable/c/faae9f2ea8806f2499186448adbf94689b47b82b"
},
{
"url": "https://git.kernel.org/stable/c/4015b979767125cf8a2233a145a3b3af78bfd8fb"
}
],
"title": "Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68306",
"datePublished": "2025-12-16T15:06:23.486Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:23.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68305 (GCVE-0-2025-68305)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
There is a potential race condition between sock bind and socket write
iter. bind may free the same cmd via mgmt_pending before write iter sends
the cmd, just as syzbot reported in UAF[1].
Here we use hci_dev_lock to synchronize the two, thereby avoiding the
UAF mentioned in [1].
[1]
syzbot reported:
BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
Read of size 8 at addr ffff888077164818 by task syz.0.17/5989
Call Trace:
mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Allocated by task 5989:
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Freed by task 5991:
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fe68510fc99bb4b88c9c611f83699749002d515a",
"status": "affected",
"version": "bdd56875c6926d8009914f427df71797693e90d4",
"versionType": "git"
},
{
"lessThan": "e90c05fc5bbea956450a05cc3b36b8fa29cf195e",
"status": "affected",
"version": "4e83f2dbb2bf677e614109df24426c4dded472d4",
"versionType": "git"
},
{
"lessThan": "69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7",
"status": "affected",
"version": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
"versionType": "git"
},
{
"lessThan": "89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392",
"status": "affected",
"version": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
"versionType": "git"
},
{
"status": "affected",
"version": "d7882db79135c829a922daf3571f33ea1e056ae3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "6.6.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sock: Prevent race in socket write iter and sock bind\n\nThere is a potential race condition between sock bind and socket write\niter. bind may free the same cmd via mgmt_pending before write iter sends\nthe cmd, just as syzbot reported in UAF[1].\n\nHere we use hci_dev_lock to synchronize the two, thereby avoiding the\nUAF mentioned in [1].\n\n[1]\nsyzbot reported:\nBUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\nRead of size 8 at addr ffff888077164818 by task syz.0.17/5989\nCall Trace:\n mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\n set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nAllocated by task 5989:\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nFreed by task 5991:\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:22.812Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fe68510fc99bb4b88c9c611f83699749002d515a"
},
{
"url": "https://git.kernel.org/stable/c/e90c05fc5bbea956450a05cc3b36b8fa29cf195e"
},
{
"url": "https://git.kernel.org/stable/c/69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7"
},
{
"url": "https://git.kernel.org/stable/c/89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392"
}
],
"title": "Bluetooth: hci_sock: Prevent race in socket write iter and sock bind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68305",
"datePublished": "2025-12-16T15:06:22.812Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:22.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68304 (GCVE-0-2025-68304)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't
ensure hci_conn* is not concurrently modified/deleted. This locking
appears to be leftover from before conn_hash started using RCU
commit bf4c63252490b ("Bluetooth: convert conn hash to RCU")
and not clear if it had purpose since then.
Currently, there are code paths that delete hci_conn* from elsewhere
than the ordered hdev->workqueue where the RX work runs in. E.g.
commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
introduced some of these, and there probably were a few others before
it. It's better to do the locking so that even if these run
concurrently no UAF is possible.
Move the lookup of hci_conn and associated socket-specific conn to
protocol recv handlers, and do them within a single critical section
to cover hci_conn* usage and lookup.
syzkaller has reported a crash that appears to be this issue:
[Task hdev->workqueue] [Task 2]
hci_disconnect_all_sync
l2cap_recv_acldata(hcon)
hci_conn_get(hcon)
hci_abort_conn_sync(hcon)
hci_dev_lock
hci_dev_lock
hci_conn_del(hcon)
v-------------------------------- hci_dev_unlock
hci_conn_put(hcon)
conn = hcon->l2cap_data (UAF)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_core.c",
"net/bluetooth/iso.c",
"net/bluetooth/l2cap_core.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93",
"status": "affected",
"version": "5af1f84ed13a416297ab9ced7537f4d5ae7f329a",
"versionType": "git"
},
{
"lessThan": "79a2d4678ba90bdba577dc3af88cc900d6dcd5ee",
"status": "affected",
"version": "5af1f84ed13a416297ab9ced7537f4d5ae7f329a",
"versionType": "git"
},
{
"status": "affected",
"version": "cd55c13bbb3d093ae601aa97e588ed4c1390ebb1",
"versionType": "git"
},
{
"status": "affected",
"version": "4d3ca4a9aaf0aa798a6be372dc0fc3a29e37dd57",
"versionType": "git"
},
{
"status": "affected",
"version": "80265dd1d944c3f33e52375b5dbe654980bd2688",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_core.c",
"net/bluetooth/iso.c",
"net/bluetooth/l2cap_core.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: lookup hci_conn on RX path on protocol side\n\nThe hdev lock/lookup/unlock/use pattern in the packet RX path doesn\u0027t\nensure hci_conn* is not concurrently modified/deleted. This locking\nappears to be leftover from before conn_hash started using RCU\ncommit bf4c63252490b (\"Bluetooth: convert conn hash to RCU\")\nand not clear if it had purpose since then.\n\nCurrently, there are code paths that delete hci_conn* from elsewhere\nthan the ordered hdev-\u003eworkqueue where the RX work runs in. E.g.\ncommit 5af1f84ed13a (\"Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync\")\nintroduced some of these, and there probably were a few others before\nit. It\u0027s better to do the locking so that even if these run\nconcurrently no UAF is possible.\n\nMove the lookup of hci_conn and associated socket-specific conn to\nprotocol recv handlers, and do them within a single critical section\nto cover hci_conn* usage and lookup.\n\nsyzkaller has reported a crash that appears to be this issue:\n\n [Task hdev-\u003eworkqueue] [Task 2]\n hci_disconnect_all_sync\n l2cap_recv_acldata(hcon)\n hci_conn_get(hcon)\n hci_abort_conn_sync(hcon)\n hci_dev_lock\n hci_dev_lock\n hci_conn_del(hcon)\n v-------------------------------- hci_dev_unlock\n hci_conn_put(hcon)\n conn = hcon-\u003el2cap_data (UAF)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:21.887Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93"
},
{
"url": "https://git.kernel.org/stable/c/79a2d4678ba90bdba577dc3af88cc900d6dcd5ee"
}
],
"title": "Bluetooth: hci_core: lookup hci_conn on RX path on protocol side",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68304",
"datePublished": "2025-12-16T15:06:21.887Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:21.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68303 (GCVE-0-2025-68303)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: intel: punit_ipc: fix memory corruption
This passes the address of the pointer "&punit_ipcdev" when the intent
was to pass the pointer itself "punit_ipcdev" (without the ampersand).
This means that the:
complete(&ipcdev->cmd_complete);
in intel_punit_ioc() will write to a wrong memory address corrupting it.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a Version: fdca4f16f57da76a8e68047923588a87d1c01f0a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/punit_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15d560cdf5b36c51fffec07ac2a983ab3bff4cb2",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "46e9d6f54184573dae1dcbcf6685a572ba6f4480",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "3e7442c5802146fd418ba3f68dcb9ca92b5cec83",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "a21615a4ac6fecbb586d59fe2206b63501021789",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "c2ee6d38996775a19bfdf20cb01a9b8698cb0baa",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "9b9c0adbc3f8a524d291baccc9d0c04097fb4869",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/punit_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel: punit_ipc: fix memory corruption\n\nThis passes the address of the pointer \"\u0026punit_ipcdev\" when the intent\nwas to pass the pointer itself \"punit_ipcdev\" (without the ampersand).\nThis means that the:\n\n\tcomplete(\u0026ipcdev-\u003ecmd_complete);\n\nin intel_punit_ioc() will write to a wrong memory address corrupting it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:21.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15d560cdf5b36c51fffec07ac2a983ab3bff4cb2"
},
{
"url": "https://git.kernel.org/stable/c/46e9d6f54184573dae1dcbcf6685a572ba6f4480"
},
{
"url": "https://git.kernel.org/stable/c/3e7442c5802146fd418ba3f68dcb9ca92b5cec83"
},
{
"url": "https://git.kernel.org/stable/c/a21615a4ac6fecbb586d59fe2206b63501021789"
},
{
"url": "https://git.kernel.org/stable/c/c2ee6d38996775a19bfdf20cb01a9b8698cb0baa"
},
{
"url": "https://git.kernel.org/stable/c/9b9c0adbc3f8a524d291baccc9d0c04097fb4869"
}
],
"title": "platform/x86: intel: punit_ipc: fix memory corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68303",
"datePublished": "2025-12-16T15:06:21.208Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:21.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68302 (GCVE-0-2025-68302)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sxgbe: fix potential NULL dereference in sxgbe_rx()
Currently, when skb is null, the driver prints an error and then
dereferences skb on the next line.
To fix this, let's add a 'break' after the error message to switch
to sxgbe_rx_refill(), which is similar to the approach taken by the
other drivers in this particular case, e.g. calxeda with xgmac_rx().
Found during a code review.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d Version: 1edb9ca69e8a7988900fc0283e10550b5592164d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac171c3c755499c9f87fe30b920602255f8b5648",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "18ef3ad1bb57dcf1a9ee61736039aedccf670b21",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "46e5332126596a2ca791140feab18ce1fc1a3c86",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "7fd789d6ea4915034eb6bcb72f6883c8151083e5",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "88f46c0be77bfe45830ac33102c75be7c34ac3f3",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "f5bce28f6b9125502abec4a67d68eabcd24b3b17",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sxgbe: fix potential NULL dereference in sxgbe_rx()\n\nCurrently, when skb is null, the driver prints an error and then\ndereferences skb on the next line.\n\nTo fix this, let\u0027s add a \u0027break\u0027 after the error message to switch\nto sxgbe_rx_refill(), which is similar to the approach taken by the\nother drivers in this particular case, e.g. calxeda with xgmac_rx().\n\nFound during a code review."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:20.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac171c3c755499c9f87fe30b920602255f8b5648"
},
{
"url": "https://git.kernel.org/stable/c/18ef3ad1bb57dcf1a9ee61736039aedccf670b21"
},
{
"url": "https://git.kernel.org/stable/c/46e5332126596a2ca791140feab18ce1fc1a3c86"
},
{
"url": "https://git.kernel.org/stable/c/7fd789d6ea4915034eb6bcb72f6883c8151083e5"
},
{
"url": "https://git.kernel.org/stable/c/45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc"
},
{
"url": "https://git.kernel.org/stable/c/88f46c0be77bfe45830ac33102c75be7c34ac3f3"
},
{
"url": "https://git.kernel.org/stable/c/f5bce28f6b9125502abec4a67d68eabcd24b3b17"
}
],
"title": "net: sxgbe: fix potential NULL dereference in sxgbe_rx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68302",
"datePublished": "2025-12-16T15:06:20.420Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:20.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68301 (GCVE-0-2025-68301)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: atlantic: fix fragment overflow handling in RX path
The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)
fragments when handling large multi-descriptor packets. This causes an
out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.
The issue occurs because the driver doesn't check the total number of
fragments before calling skb_add_rx_frag(). When a packet requires more
than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.
Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for. And reusing the existing check to
prevent the overflow earlier in the code path.
This crash occurred in production with an Aquantia AQC113 10G NIC.
Stack trace from production environment:
```
RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0
Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89
ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90
c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48
89 fa 83
RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287
RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:
fffffffe0a0c8000
RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:
0000000000037a40
RBP: 0000000000000024 R08: 0000000000000000 R09:
0000000000000021
R10: 0000000000000848 R11: 0000000000000000 R12:
ffffa9bec02a8e24
R13: ffff925ad8615570 R14: 0000000000000000 R15:
ffff925b22e80a00
FS: 0000000000000000(0000)
GS:ffff925e47880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:
0000000000f72ef0
PKRU: 55555554
Call Trace:
<IRQ>
aq_ring_rx_clean+0x175/0xe60 [atlantic]
? aq_ring_rx_clean+0x14d/0xe60 [atlantic]
? aq_ring_tx_clean+0xdf/0x190 [atlantic]
? kmem_cache_free+0x348/0x450
? aq_vec_poll+0x81/0x1d0 [atlantic]
? __napi_poll+0x28/0x1c0
? net_rx_action+0x337/0x420
```
Changes in v4:
- Add Fixes: tag to satisfy patch validation requirements.
Changes in v3:
- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cd66ab20a8f84474564a68fffffd37d998f6c340 Version: 948ddbdc56636773401f2cb9c7a932eb9c43ccfd Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f Version: dd4fb02847e737cc38ca75e708b1a836fba45faf |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34147477eeab24077fcfe9649e282849347d760c",
"status": "affected",
"version": "cd66ab20a8f84474564a68fffffd37d998f6c340",
"versionType": "git"
},
{
"lessThan": "b0c4d5135b04ea100988e2458c98f2d8564cda16",
"status": "affected",
"version": "948ddbdc56636773401f2cb9c7a932eb9c43ccfd",
"versionType": "git"
},
{
"lessThan": "5d6051ea1b0417ae2f06a8440d22e48fbc8f8997",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "3be37c3c96b16462394fcb8e15e757c691377038",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "3fd2105e1b7e041cc24be151c9a31a14d5fc50ab",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "64e47cd1fd631a21bf5a630cebefec6c8fc381cd",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"lessThan": "5ffcb7b890f61541201461580bb6622ace405aec",
"status": "affected",
"version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
"versionType": "git"
},
{
"status": "affected",
"version": "dd4fb02847e737cc38ca75e708b1a836fba45faf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: fix fragment overflow handling in RX path\n\nThe atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)\nfragments when handling large multi-descriptor packets. This causes an\nout-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.\n\nThe issue occurs because the driver doesn\u0027t check the total number of\nfragments before calling skb_add_rx_frag(). When a packet requires more\nthan MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.\n\nFix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\nthen all fragments are accounted for. And reusing the existing check to\nprevent the overflow earlier in the code path.\n\nThis crash occurred in production with an Aquantia AQC113 10G NIC.\n\nStack trace from production environment:\n```\nRIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0\nCode: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89\nca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90\nc8 00 00 00 \u003c48\u003e 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48\n89 fa 83\nRSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287\nRAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:\nfffffffe0a0c8000\nRDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:\n0000000000037a40\nRBP: 0000000000000024 R08: 0000000000000000 R09:\n0000000000000021\nR10: 0000000000000848 R11: 0000000000000000 R12:\nffffa9bec02a8e24\nR13: ffff925ad8615570 R14: 0000000000000000 R15:\nffff925b22e80a00\nFS: 0000000000000000(0000)\nGS:ffff925e47880000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:\n0000000000f72ef0\nPKRU: 55555554\nCall Trace:\n\u003cIRQ\u003e\naq_ring_rx_clean+0x175/0xe60 [atlantic]\n? aq_ring_rx_clean+0x14d/0xe60 [atlantic]\n? aq_ring_tx_clean+0xdf/0x190 [atlantic]\n? kmem_cache_free+0x348/0x450\n? aq_vec_poll+0x81/0x1d0 [atlantic]\n? __napi_poll+0x28/0x1c0\n? net_rx_action+0x337/0x420\n```\n\nChanges in v4:\n- Add Fixes: tag to satisfy patch validation requirements.\n\nChanges in v3:\n- Fix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\n then all fragments are accounted for."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:19.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34147477eeab24077fcfe9649e282849347d760c"
},
{
"url": "https://git.kernel.org/stable/c/b0c4d5135b04ea100988e2458c98f2d8564cda16"
},
{
"url": "https://git.kernel.org/stable/c/5d6051ea1b0417ae2f06a8440d22e48fbc8f8997"
},
{
"url": "https://git.kernel.org/stable/c/3be37c3c96b16462394fcb8e15e757c691377038"
},
{
"url": "https://git.kernel.org/stable/c/3fd2105e1b7e041cc24be151c9a31a14d5fc50ab"
},
{
"url": "https://git.kernel.org/stable/c/64e47cd1fd631a21bf5a630cebefec6c8fc381cd"
},
{
"url": "https://git.kernel.org/stable/c/5ffcb7b890f61541201461580bb6622ace405aec"
}
],
"title": "net: atlantic: fix fragment overflow handling in RX path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68301",
"datePublished": "2025-12-16T15:06:19.688Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:19.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68300 (GCVE-0-2025-68300)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/namespace: fix reference leak in grab_requested_mnt_ns
lookup_mnt_ns() already takes a reference on mnt_ns.
grab_requested_mnt_ns() doesn't need to take an extra reference.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a16b2a0c1f033f95f5d0b98b9e40e8bf7c4c2c5",
"status": "affected",
"version": "ba306daa7fa8ae0be5d64c215e9d43a88b4bc8bf",
"versionType": "git"
},
{
"lessThan": "fe256e59b8e7f126b2464ee32bd9fee131f0a883",
"status": "affected",
"version": "8ff97ade912dcfc5ac1783c4b8d615aacd26fd17",
"versionType": "git"
},
{
"lessThan": "7b6dcd9bfd869eee7693e45b1817dac8c56e5f86",
"status": "affected",
"version": "78f0e33cd6c939a555aa80dbed2fec6b333a7660",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.61",
"status": "affected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThan": "6.17.11",
"status": "affected",
"version": "6.17.9",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/namespace: fix reference leak in grab_requested_mnt_ns\n\nlookup_mnt_ns() already takes a reference on mnt_ns.\ngrab_requested_mnt_ns() doesn\u0027t need to take an extra reference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:18.941Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a16b2a0c1f033f95f5d0b98b9e40e8bf7c4c2c5"
},
{
"url": "https://git.kernel.org/stable/c/fe256e59b8e7f126b2464ee32bd9fee131f0a883"
},
{
"url": "https://git.kernel.org/stable/c/7b6dcd9bfd869eee7693e45b1817dac8c56e5f86"
}
],
"title": "fs/namespace: fix reference leak in grab_requested_mnt_ns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68300",
"datePublished": "2025-12-16T15:06:18.941Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:18.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68299 (GCVE-0-2025-68299)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Fix delayed allocation of a cell's anonymous key
The allocation of a cell's anonymous key is done in a background thread
along with other cell setup such as doing a DNS upcall. In the reported
bug, this is triggered by afs_parse_source() parsing the device name given
to mount() and calling afs_lookup_cell() with the name of the cell.
The normal key lookup then tries to use the key description on the
anonymous authentication key as the reference for request_key() - but it
may not yet be set and so an oops can happen.
This has been made more likely to happen by the fix for dynamic lookup
failure.
Fix this by firstly allocating a reference name and attaching it to the
afs_cell record when the record is created. It can share the memory
allocation with the cell name (unfortunately it can't just overlap the cell
name by prepending it with "afs@" as the cell name already has a '.'
prepended for other purposes). This reference name is then passed to
request_key().
Secondly, the anon key is now allocated on demand at the point a key is
requested in afs_request_key() if it is not already allocated. A mutex is
used to prevent multiple allocation for a cell.
Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't
yet allocated (if we need it) and then the caller can return -ECHILD to
drop out of RCU-mode and afs_request_key() can be called.
Note that the anonymous key is kind of necessary to make the key lookup
cache work as that doesn't currently cache a negative lookup, but it's
probably worth some investigation to see if NULL can be used instead.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/afs/cell.c",
"fs/afs/internal.h",
"fs/afs/security.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5613bde937dfac6725e9c3fc766b9d6b8481e55b",
"status": "affected",
"version": "7e33b15d5a6578a99ebf189cea34983270ae92dd",
"versionType": "git"
},
{
"lessThan": "d27c71257825dced46104eefe42e4d9964bd032e",
"status": "affected",
"version": "330e2c514823008b22e6afd2055715bc46dd8d55",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/afs/cell.c",
"fs/afs/internal.h",
"fs/afs/security.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.17.11",
"status": "affected",
"version": "6.17.9",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix delayed allocation of a cell\u0027s anonymous key\n\nThe allocation of a cell\u0027s anonymous key is done in a background thread\nalong with other cell setup such as doing a DNS upcall. In the reported\nbug, this is triggered by afs_parse_source() parsing the device name given\nto mount() and calling afs_lookup_cell() with the name of the cell.\n\nThe normal key lookup then tries to use the key description on the\nanonymous authentication key as the reference for request_key() - but it\nmay not yet be set and so an oops can happen.\n\nThis has been made more likely to happen by the fix for dynamic lookup\nfailure.\n\nFix this by firstly allocating a reference name and attaching it to the\nafs_cell record when the record is created. It can share the memory\nallocation with the cell name (unfortunately it can\u0027t just overlap the cell\nname by prepending it with \"afs@\" as the cell name already has a \u0027.\u0027\nprepended for other purposes). This reference name is then passed to\nrequest_key().\n\nSecondly, the anon key is now allocated on demand at the point a key is\nrequested in afs_request_key() if it is not already allocated. A mutex is\nused to prevent multiple allocation for a cell.\n\nThirdly, make afs_request_key_rcu() return NULL if the anonymous key isn\u0027t\nyet allocated (if we need it) and then the caller can return -ECHILD to\ndrop out of RCU-mode and afs_request_key() can be called.\n\nNote that the anonymous key is kind of necessary to make the key lookup\ncache work as that doesn\u0027t currently cache a negative lookup, but it\u0027s\nprobably worth some investigation to see if NULL can be used instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:18.246Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5613bde937dfac6725e9c3fc766b9d6b8481e55b"
},
{
"url": "https://git.kernel.org/stable/c/d27c71257825dced46104eefe42e4d9964bd032e"
}
],
"title": "afs: Fix delayed allocation of a cell\u0027s anonymous key",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68299",
"datePublished": "2025-12-16T15:06:18.246Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:18.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68298 (GCVE-0-2025-68298)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref
In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:
usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)
That function can return NULL in some cases. Even when it returns
NULL, though, we still go on to call btusb_mtk_claim_iso_intf().
As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for
usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf()
when `btmtk_data->isopkt_intf` is NULL will cause a crash because
we'll end up passing a bad pointer to device_lock(). Prior to that
commit we'd pass the NULL pointer directly to
usb_driver_claim_interface() which would detect it and return an
error, which was handled.
Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check
at the start of the function. This makes the code handle a NULL
`btmtk_data->isopkt_intf` the same way it did before the problematic
commit (just with a slight change to the error message printed).
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fa09fe98ca3b114d66285f65f7e108fea131815",
"status": "affected",
"version": "930e1790b99e5839e1af69d2f7fd808f1fba2df9",
"versionType": "git"
},
{
"lessThan": "c3b990e0b23068da65f0004cd38ee31f43f36460",
"status": "affected",
"version": "e9087e828827e5a5c85e124ce77503f2b81c3491",
"versionType": "git"
},
{
"lessThan": "c884a0b27b4586e607431d86a1aa0bb4fb39169c",
"status": "affected",
"version": "e9087e828827e5a5c85e124ce77503f2b81c3491",
"versionType": "git"
},
{
"status": "affected",
"version": "4194766ec8756f4f654d595ae49962acbac49490",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref\n\nIn btusb_mtk_setup(), we set `btmtk_data-\u003eisopkt_intf` to:\n usb_ifnum_to_if(data-\u003eudev, MTK_ISO_IFNUM)\n\nThat function can return NULL in some cases. Even when it returns\nNULL, though, we still go on to call btusb_mtk_claim_iso_intf().\n\nAs of commit e9087e828827 (\"Bluetooth: btusb: mediatek: Add locks for\nusb_driver_claim_interface()\"), calling btusb_mtk_claim_iso_intf()\nwhen `btmtk_data-\u003eisopkt_intf` is NULL will cause a crash because\nwe\u0027ll end up passing a bad pointer to device_lock(). Prior to that\ncommit we\u0027d pass the NULL pointer directly to\nusb_driver_claim_interface() which would detect it and return an\nerror, which was handled.\n\nResolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check\nat the start of the function. This makes the code handle a NULL\n`btmtk_data-\u003eisopkt_intf` the same way it did before the problematic\ncommit (just with a slight change to the error message printed)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:17.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fa09fe98ca3b114d66285f65f7e108fea131815"
},
{
"url": "https://git.kernel.org/stable/c/c3b990e0b23068da65f0004cd38ee31f43f36460"
},
{
"url": "https://git.kernel.org/stable/c/c884a0b27b4586e607431d86a1aa0bb4fb39169c"
}
],
"title": "Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68298",
"datePublished": "2025-12-16T15:06:17.526Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:17.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68297 (GCVE-0-2025-68297)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix crash in process_v2_sparse_read() for encrypted directories
The crash in process_v2_sparse_read() for fscrypt-encrypted directories
has been reported. Issue takes place for Ceph msgr2 protocol in secure
mode. It can be reproduced by the steps:
sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure
(1) mkdir /mnt/cephfs/fscrypt-test-3
(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3
(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3
(4) fscrypt lock /mnt/cephfs/fscrypt-test-3
(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3
(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar
(7) Issue has been triggered
[ 408.072247] ------------[ cut here ]------------
[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865
ceph_con_v2_try_read+0x4b39/0x72f0
[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common
intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery
pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass
polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse
serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg
pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore
[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+
[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.17.0-5.fc42 04/01/2014
[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn
[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0
[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8
8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06
fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85
[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246
[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38
[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8
[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8
[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000
[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)
knlGS:0000000000000000
[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0
[ 408.072336] PKRU: 55555554
[ 408.072337] Call Trace:
[ 408.072338] <TASK>
[ 408.072340] ? sched_clock_noinstr+0x9/0x10
[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10
[ 408.072347] ? _raw_spin_unlock+0xe/0x40
[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830
[ 408.072353] ? __kasan_check_write+0x14/0x30
[ 408.072357] ? mutex_lock+0x84/0xe0
[ 408.072359] ? __pfx_mutex_lock+0x10/0x10
[ 408.072361] ceph_con_workfn+0x27e/0x10e0
[ 408.072364] ? metric_delayed_work+0x311/0x2c50
[ 408.072367] process_one_work+0x611/0xe20
[ 408.072371] ? __kasan_check_write+0x14/0x30
[ 408.072373] worker_thread+0x7e3/0x1580
[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 408.072378] ? __pfx_worker_thread+0x10/0x10
[ 408.072381] kthread+0x381/0x7a0
[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 408.072385] ? __pfx_kthread+0x10/0x10
[ 408.072387] ? __kasan_check_write+0x14/0x30
[ 408.072389] ? recalc_sigpending+0x160/0x220
[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50
[ 408.072394] ? calculate_sigpending+0x78/0xb0
[ 408.072395] ? __pfx_kthread+0x10/0x10
[ 408.072397] ret_from_fork+0x2b6/0x380
[ 408.072400] ? __pfx_kthread+0x10/0x10
[ 408.072402] ret_from_fork_asm+0x1a/0x30
[ 408.072406] </TASK>
[ 408.072407] ---[ end trace 0000000000000000 ]---
[ 408.072418] Oops: general protection fault, probably for non-canonical
address 0xdffffc00000000
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a3f3e39b18705bc578fae58abacc8ef93c15194",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47144748fbf12068ba4b82512098fe1ac748a2e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d1b7de853f7d1eefd6d22949bcefc0c25186727",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43962db4a6f593903340c85591056a0cef812dfd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix crash in process_v2_sparse_read() for encrypted directories\n\nThe crash in process_v2_sparse_read() for fscrypt-encrypted directories\nhas been reported. Issue takes place for Ceph msgr2 protocol in secure\nmode. It can be reproduced by the steps:\n\nsudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure\n\n(1) mkdir /mnt/cephfs/fscrypt-test-3\n(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3\n(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3\n(4) fscrypt lock /mnt/cephfs/fscrypt-test-3\n(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3\n(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar\n(7) Issue has been triggered\n\n[ 408.072247] ------------[ cut here ]------------\n[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865\nceph_con_v2_try_read+0x4b39/0x72f0\n[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common\nintel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery\npmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass\npolyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse\nserio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg\npata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore\n[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+\n[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.17.0-5.fc42 04/01/2014\n[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn\n[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0\n[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8\n8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff \u003c0f\u003e 0b e9 06\nfe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85\n[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246\n[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38\n[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8\n[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8\n[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000\n[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)\nknlGS:0000000000000000\n[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0\n[ 408.072336] PKRU: 55555554\n[ 408.072337] Call Trace:\n[ 408.072338] \u003cTASK\u003e\n[ 408.072340] ? sched_clock_noinstr+0x9/0x10\n[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10\n[ 408.072347] ? _raw_spin_unlock+0xe/0x40\n[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830\n[ 408.072353] ? __kasan_check_write+0x14/0x30\n[ 408.072357] ? mutex_lock+0x84/0xe0\n[ 408.072359] ? __pfx_mutex_lock+0x10/0x10\n[ 408.072361] ceph_con_workfn+0x27e/0x10e0\n[ 408.072364] ? metric_delayed_work+0x311/0x2c50\n[ 408.072367] process_one_work+0x611/0xe20\n[ 408.072371] ? __kasan_check_write+0x14/0x30\n[ 408.072373] worker_thread+0x7e3/0x1580\n[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 408.072378] ? __pfx_worker_thread+0x10/0x10\n[ 408.072381] kthread+0x381/0x7a0\n[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 408.072385] ? __pfx_kthread+0x10/0x10\n[ 408.072387] ? __kasan_check_write+0x14/0x30\n[ 408.072389] ? recalc_sigpending+0x160/0x220\n[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50\n[ 408.072394] ? calculate_sigpending+0x78/0xb0\n[ 408.072395] ? __pfx_kthread+0x10/0x10\n[ 408.072397] ret_from_fork+0x2b6/0x380\n[ 408.072400] ? __pfx_kthread+0x10/0x10\n[ 408.072402] ret_from_fork_asm+0x1a/0x30\n[ 408.072406] \u003c/TASK\u003e\n[ 408.072407] ---[ end trace 0000000000000000 ]---\n[ 408.072418] Oops: general protection fault, probably for non-canonical\naddress 0xdffffc00000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:16.756Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a3f3e39b18705bc578fae58abacc8ef93c15194"
},
{
"url": "https://git.kernel.org/stable/c/47144748fbf12068ba4b82512098fe1ac748a2e9"
},
{
"url": "https://git.kernel.org/stable/c/7d1b7de853f7d1eefd6d22949bcefc0c25186727"
},
{
"url": "https://git.kernel.org/stable/c/43962db4a6f593903340c85591056a0cef812dfd"
}
],
"title": "ceph: fix crash in process_v2_sparse_read() for encrypted directories",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68297",
"datePublished": "2025-12-16T15:06:16.756Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:16.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68296 (GCVE-0-2025-68296)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB
access in fbcon_remap_all(). Without holding the console lock the call
races with switching outputs.
VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon
function uses struct fb_info.node, which is set by register_framebuffer().
As the fb-helper code currently sets up VGA switcheroo before registering
the framebuffer, the value of node is -1 and therefore not a legal value.
For example, fbcon uses the value within set_con2fb_map() [1] as an index
into an array.
Moving vga_switcheroo_client_fb_set() after register_framebuffer() can
result in VGA switching that does not switch fbcon correctly.
Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),
which already holds the console lock. Fbdev calls fbcon_fb_registered()
from within register_framebuffer(). Serializes the helper with VGA
switcheroo's call to fbcon_remap_all().
Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info
as parameter, it really only needs the contained fbcon state. Moving the
call to fbcon initialization is therefore cleaner than before. Only amdgpu,
i915, nouveau and radeon support vga_switcheroo. For all other drivers,
this change does nothing.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_fb_helper.c",
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "482330f8261b4bea8146d9bd69c1199e5dfcbb5c",
"status": "affected",
"version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289",
"versionType": "git"
},
{
"lessThan": "05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a",
"status": "affected",
"version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289",
"versionType": "git"
},
{
"lessThan": "eb76d0f5553575599561010f24c277cc5b31d003",
"status": "affected",
"version": "6a9ee8af344e3bd7dbd61e67037096cdf7f83289",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_fb_helper.c",
"drivers/video/fbdev/core/fbcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup\n\nProtect vga_switcheroo_client_fb_set() with console lock. Avoids OOB\naccess in fbcon_remap_all(). Without holding the console lock the call\nraces with switching outputs.\n\nVGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon\nfunction uses struct fb_info.node, which is set by register_framebuffer().\nAs the fb-helper code currently sets up VGA switcheroo before registering\nthe framebuffer, the value of node is -1 and therefore not a legal value.\nFor example, fbcon uses the value within set_con2fb_map() [1] as an index\ninto an array.\n\nMoving vga_switcheroo_client_fb_set() after register_framebuffer() can\nresult in VGA switching that does not switch fbcon correctly.\n\nTherefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),\nwhich already holds the console lock. Fbdev calls fbcon_fb_registered()\nfrom within register_framebuffer(). Serializes the helper with VGA\nswitcheroo\u0027s call to fbcon_remap_all().\n\nAlthough vga_switcheroo_client_fb_set() takes an instance of struct fb_info\nas parameter, it really only needs the contained fbcon state. Moving the\ncall to fbcon initialization is therefore cleaner than before. Only amdgpu,\ni915, nouveau and radeon support vga_switcheroo. For all other drivers,\nthis change does nothing."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:15.797Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/482330f8261b4bea8146d9bd69c1199e5dfcbb5c"
},
{
"url": "https://git.kernel.org/stable/c/05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a"
},
{
"url": "https://git.kernel.org/stable/c/eb76d0f5553575599561010f24c277cc5b31d003"
}
],
"title": "drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68296",
"datePublished": "2025-12-16T15:06:15.797Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:15.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}