Refine your search
2660 vulnerabilities found for by Linux
CVE-2025-40211 (GCVE-0-2025-40211)
Vulnerability from cvelistv5
Published
2025-11-21 10:21
Modified
2025-11-21 10:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
The switch_brightness_work delayed work accesses device->brightness
and device->backlight, freed by acpi_video_dev_unregister_backlight()
during device removal.
If the work executes after acpi_video_bus_unregister_backlight()
frees these resources, it causes a use-after-free when
acpi_video_switch_brightness() dereferences device->brightness or
device->backlight.
Fix this by calling cancel_delayed_work_sync() for each device's
switch_brightness_work in acpi_video_bus_remove_notify_handler()
after removing the notify handler that queues the work. This ensures
the work completes before the memory is freed.
[ rjw: Changelog edit ]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de5fc93275a4a459fe2f7cb746984f2ab3e8292a",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "293125536ef5521328815fa7c76d5f9eb1635659",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "8f067aa59430266386b83c18b983ca583faa6a11",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc4",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: Fix use-after-free in acpi_video_switch_brightness()\n\nThe switch_brightness_work delayed work accesses device-\u003ebrightness\nand device-\u003ebacklight, freed by acpi_video_dev_unregister_backlight()\nduring device removal.\n\nIf the work executes after acpi_video_bus_unregister_backlight()\nfrees these resources, it causes a use-after-free when\nacpi_video_switch_brightness() dereferences device-\u003ebrightness or\ndevice-\u003ebacklight.\n\nFix this by calling cancel_delayed_work_sync() for each device\u0027s\nswitch_brightness_work in acpi_video_bus_remove_notify_handler()\nafter removing the notify handler that queues the work. This ensures\nthe work completes before the memory is freed.\n\n[ rjw: Changelog edit ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T10:21:36.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a"
},
{
"url": "https://git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659"
},
{
"url": "https://git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11"
}
],
"title": "ACPI: video: Fix use-after-free in acpi_video_switch_brightness()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40211",
"datePublished": "2025-11-21T10:21:36.438Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-21T10:21:36.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40210 (GCVE-0-2025-40210)
Vulnerability from cvelistv5
Published
2025-11-21 10:21
Modified
2025-11-21 10:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"
I've found that pynfs COMP6 now leaves the connection or lease in a
strange state, which causes CLOSE9 to hang indefinitely. I've dug
into it a little, but I haven't been able to root-cause it yet.
However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on
number of operations per NFSv4 COMPOUND").
Tianshuo Han also reports a potential vulnerability when decoding
an NFSv4 COMPOUND. An attacker can place an arbitrarily large op
count in the COMPOUND header, which results in:
[ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total
pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),
nodemask=(null),cpuset=/,mems_allowed=0
when NFSD attempts to allocate the COMPOUND op array.
Let's restore the operation-per-COMPOUND limit, but increased to 200
for now.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/nfsd.h",
"fs/nfsd/xdr4.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3ee7ce432289deac87b9d14e01f2fe6958f7f0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e7f011c255582d7c914133785bbba1990441713",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/nfsd.h",
"fs/nfsd/xdr4.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"\n\nI\u0027ve found that pynfs COMP6 now leaves the connection or lease in a\nstrange state, which causes CLOSE9 to hang indefinitely. I\u0027ve dug\ninto it a little, but I haven\u0027t been able to root-cause it yet.\nHowever, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on\nnumber of operations per NFSv4 COMPOUND\").\n\nTianshuo Han also reports a potential vulnerability when decoding\nan NFSv4 COMPOUND. An attacker can place an arbitrarily large op\ncount in the COMPOUND header, which results in:\n\n[ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total\npages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),\nnodemask=(null),cpuset=/,mems_allowed=0\n\nwhen NFSD attempts to allocate the COMPOUND op array.\n\nLet\u0027s restore the operation-per-COMPOUND limit, but increased to 200\nfor now."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T10:21:35.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3ee7ce432289deac87b9d14e01f2fe6958f7f0b"
},
{
"url": "https://git.kernel.org/stable/c/3e7f011c255582d7c914133785bbba1990441713"
}
],
"title": "Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40210",
"datePublished": "2025-11-21T10:21:35.540Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-21T10:21:35.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40209 (GCVE-0-2025-40209)
Vulnerability from cvelistv5
Published
2025-11-21 10:19
Modified
2025-11-21 10:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation
When btrfs_add_qgroup_relation() is called with invalid qgroup levels
(src >= dst), the function returns -EINVAL directly without freeing the
preallocated qgroup_list structure passed by the caller. This causes a
memory leak because the caller unconditionally sets the pointer to NULL
after the call, preventing any cleanup.
The issue occurs because the level validation check happens before the
mutex is acquired and before any error handling path that would free
the prealloc pointer. On this early return, the cleanup code at the
'out' label (which includes kfree(prealloc)) is never reached.
In btrfs_ioctl_qgroup_assign(), the code pattern is:
prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL);
ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc);
prealloc = NULL; // Always set to NULL regardless of return value
...
kfree(prealloc); // This becomes kfree(NULL), does nothing
When the level check fails, 'prealloc' is never freed by either the
callee or the caller, resulting in a 64-byte memory leak per failed
operation. This can be triggered repeatedly by an unprivileged user
with access to a writable btrfs mount, potentially exhausting kernel
memory.
Fix this by freeing prealloc before the early return, ensuring prealloc
is always freed on all error paths.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3412d0e973e8f8381747d69033eda809a57a2581",
"status": "affected",
"version": "4addc1ffd67ad34394674dc91379dc04cfdd2537",
"versionType": "git"
},
{
"lessThan": "a4d9ebe23bcb79d9d057e3c995db73b7b3aae414",
"status": "affected",
"version": "4addc1ffd67ad34394674dc91379dc04cfdd2537",
"versionType": "git"
},
{
"lessThan": "f260c6aff0b8af236084012d14f9f1bf792ea883",
"status": "affected",
"version": "4addc1ffd67ad34394674dc91379dc04cfdd2537",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc5",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation\n\nWhen btrfs_add_qgroup_relation() is called with invalid qgroup levels\n(src \u003e= dst), the function returns -EINVAL directly without freeing the\npreallocated qgroup_list structure passed by the caller. This causes a\nmemory leak because the caller unconditionally sets the pointer to NULL\nafter the call, preventing any cleanup.\n\nThe issue occurs because the level validation check happens before the\nmutex is acquired and before any error handling path that would free\nthe prealloc pointer. On this early return, the cleanup code at the\n\u0027out\u0027 label (which includes kfree(prealloc)) is never reached.\n\nIn btrfs_ioctl_qgroup_assign(), the code pattern is:\n\n prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL);\n ret = btrfs_add_qgroup_relation(trans, sa-\u003esrc, sa-\u003edst, prealloc);\n prealloc = NULL; // Always set to NULL regardless of return value\n ...\n kfree(prealloc); // This becomes kfree(NULL), does nothing\n\nWhen the level check fails, \u0027prealloc\u0027 is never freed by either the\ncallee or the caller, resulting in a 64-byte memory leak per failed\noperation. This can be triggered repeatedly by an unprivileged user\nwith access to a writable btrfs mount, potentially exhausting kernel\nmemory.\n\nFix this by freeing prealloc before the early return, ensuring prealloc\nis always freed on all error paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T10:19:44.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3412d0e973e8f8381747d69033eda809a57a2581"
},
{
"url": "https://git.kernel.org/stable/c/a4d9ebe23bcb79d9d057e3c995db73b7b3aae414"
},
{
"url": "https://git.kernel.org/stable/c/f260c6aff0b8af236084012d14f9f1bf792ea883"
}
],
"title": "btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40209",
"datePublished": "2025-11-21T10:19:44.757Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-21T10:19:44.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40208 (GCVE-0-2025-40208)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: iris: fix module removal if firmware download failed
Fix remove if firmware failed to load:
qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2
qcom-iris aa00000.video-codec: firmware download failed
qcom-iris aa00000.video-codec: core init failed
then:
$ echo aa00000.video-codec > /sys/bus/platform/drivers/qcom-iris/unbind
Triggers:
genpd genpd:1:aa00000.video-codec: Runtime PM usage count underflow!
------------[ cut here ]------------
video_cc_mvs0_clk already disabled
WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#1: sh/542
<snip>
pc : clk_core_disable+0xa4/0xac
lr : clk_core_disable+0xa4/0xac
<snip>
Call trace:
clk_core_disable+0xa4/0xac (P)
clk_disable+0x30/0x4c
iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]
iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]
iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]
iris_vpu_power_off+0x34/0x84 [qcom_iris]
iris_core_deinit+0x44/0xc8 [qcom_iris]
iris_remove+0x20/0x48 [qcom_iris]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
<snip>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
video_cc_mvs0_clk already unprepared
WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#2: sh/542
<snip>
pc : clk_core_unprepare+0xf0/0x110
lr : clk_core_unprepare+0xf0/0x110
<snip>
Call trace:
clk_core_unprepare+0xf0/0x110 (P)
clk_unprepare+0x2c/0x44
iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]
iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]
iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]
iris_vpu_power_off+0x34/0x84 [qcom_iris]
iris_core_deinit+0x44/0xc8 [qcom_iris]
iris_remove+0x20/0x48 [qcom_iris]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
<snip>
---[ end trace 0000000000000000 ]---
genpd genpd:0:aa00000.video-codec: Runtime PM usage count underflow!
------------[ cut here ]------------
gcc_video_axi0_clk already disabled
WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#4: sh/542
<snip>
pc : clk_core_disable+0xa4/0xac
lr : clk_core_disable+0xa4/0xac
<snip>
Call trace:
clk_core_disable+0xa4/0xac (P)
clk_disable+0x30/0x4c
iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]
iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]
iris_vpu_power_off+0x48/0x84 [qcom_iris]
iris_core_deinit+0x44/0xc8 [qcom_iris]
iris_remove+0x20/0x48 [qcom_iris]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
<snip>
------------[ cut here ]------------
gcc_video_axi0_clk already unprepared
WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#4: sh/542
<snip>
pc : clk_core_unprepare+0xf0/0x110
lr : clk_core_unprepare+0xf0/0x110
<snip>
Call trace:
clk_core_unprepare+0xf0/0x110 (P)
clk_unprepare+0x2c/0x44
iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]
iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]
iris_vpu_power_off+0x48/0x84 [qcom_iris]
iris_core_deinit+0x44/0xc8 [qcom_iris]
iris_remove+0x20/0x48 [qcom_iris]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
<snip>
---[ end trace 0000000000000000 ]---
Skip deinit if initialization never succeeded.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/iris/iris_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a0a77b936ff28f59c271172e81cefebf7b2b7a6",
"status": "affected",
"version": "d7378f84e94e14998b3469dcc0d8ce609d049ccc",
"versionType": "git"
},
{
"lessThan": "fde38008fc4f43db8c17869491870df24b501543",
"status": "affected",
"version": "d7378f84e94e14998b3469dcc0d8ce609d049ccc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/iris/iris_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: fix module removal if firmware download failed\n\nFix remove if firmware failed to load:\nqcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2\nqcom-iris aa00000.video-codec: firmware download failed\nqcom-iris aa00000.video-codec: core init failed\n\nthen:\n$ echo aa00000.video-codec \u003e /sys/bus/platform/drivers/qcom-iris/unbind\n\nTriggers:\ngenpd genpd:1:aa00000.video-codec: Runtime PM usage count underflow!\n------------[ cut here ]------------\nvideo_cc_mvs0_clk already disabled\nWARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#1: sh/542\n\u003csnip\u003e\npc : clk_core_disable+0xa4/0xac\nlr : clk_core_disable+0xa4/0xac\n\u003csnip\u003e\nCall trace:\n clk_core_disable+0xa4/0xac (P)\n clk_disable+0x30/0x4c\n iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]\n iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]\n iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]\n iris_vpu_power_off+0x34/0x84 [qcom_iris]\n iris_core_deinit+0x44/0xc8 [qcom_iris]\n iris_remove+0x20/0x48 [qcom_iris]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n\u003csnip\u003e\n---[ end trace 0000000000000000 ]---\n------------[ cut here ]------------\nvideo_cc_mvs0_clk already unprepared\nWARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#2: sh/542\n\u003csnip\u003e\npc : clk_core_unprepare+0xf0/0x110\nlr : clk_core_unprepare+0xf0/0x110\n\u003csnip\u003e\nCall trace:\n clk_core_unprepare+0xf0/0x110 (P)\n clk_unprepare+0x2c/0x44\n iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]\n iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]\n iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]\n iris_vpu_power_off+0x34/0x84 [qcom_iris]\n iris_core_deinit+0x44/0xc8 [qcom_iris]\n iris_remove+0x20/0x48 [qcom_iris]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n\u003csnip\u003e\n---[ end trace 0000000000000000 ]---\ngenpd genpd:0:aa00000.video-codec: Runtime PM usage count underflow!\n------------[ cut here ]------------\ngcc_video_axi0_clk already disabled\nWARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#4: sh/542\n\u003csnip\u003e\npc : clk_core_disable+0xa4/0xac\nlr : clk_core_disable+0xa4/0xac\n\u003csnip\u003e\nCall trace:\n clk_core_disable+0xa4/0xac (P)\n clk_disable+0x30/0x4c\n iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]\n iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]\n iris_vpu_power_off+0x48/0x84 [qcom_iris]\n iris_core_deinit+0x44/0xc8 [qcom_iris]\n iris_remove+0x20/0x48 [qcom_iris]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n\u003csnip\u003e\n------------[ cut here ]------------\ngcc_video_axi0_clk already unprepared\nWARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#4: sh/542\n\u003csnip\u003e\npc : clk_core_unprepare+0xf0/0x110\nlr : clk_core_unprepare+0xf0/0x110\n\u003csnip\u003e\nCall trace:\n clk_core_unprepare+0xf0/0x110 (P)\n clk_unprepare+0x2c/0x44\n iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]\n iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]\n iris_vpu_power_off+0x48/0x84 [qcom_iris]\n iris_core_deinit+0x44/0xc8 [qcom_iris]\n iris_remove+0x20/0x48 [qcom_iris]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n\u003csnip\u003e\n---[ end trace 0000000000000000 ]---\n\nSkip deinit if initialization never succeeded."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:36.261Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a0a77b936ff28f59c271172e81cefebf7b2b7a6"
},
{
"url": "https://git.kernel.org/stable/c/fde38008fc4f43db8c17869491870df24b501543"
}
],
"title": "media: iris: fix module removal if firmware download failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40208",
"datePublished": "2025-11-12T21:56:36.261Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-12T21:56:36.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40207 (GCVE-0-2025-40207)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
v4l2_subdev_call_state_try() macro allocates a subdev state with
__v4l2_subdev_state_alloc(), but does not check the returned value. If
__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would
cause v4l2_subdev_call_state_try() to crash.
Add proper error handling to v4l2_subdev_call_state_try().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-subdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b0057459cdc243ffb35617603142dcace09c711",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "ed30811fbed40751deb952bde534aa2632dc0bf7",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "94e6336dc1f06a06f5b4cd04d4a012bba34f2857",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "a553530b3314a0bdc98cf114cdbe204551a70a00",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
},
{
"lessThan": "f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e",
"status": "affected",
"version": "982c0487185bd466059ff618f398a8d074ddb654",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/media/v4l2-subdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()\n\nv4l2_subdev_call_state_try() macro allocates a subdev state with\n__v4l2_subdev_state_alloc(), but does not check the returned value. If\n__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would\ncause v4l2_subdev_call_state_try() to crash.\n\nAdd proper error handling to v4l2_subdev_call_state_try()."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:35.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b0057459cdc243ffb35617603142dcace09c711"
},
{
"url": "https://git.kernel.org/stable/c/ed30811fbed40751deb952bde534aa2632dc0bf7"
},
{
"url": "https://git.kernel.org/stable/c/94e6336dc1f06a06f5b4cd04d4a012bba34f2857"
},
{
"url": "https://git.kernel.org/stable/c/a553530b3314a0bdc98cf114cdbe204551a70a00"
},
{
"url": "https://git.kernel.org/stable/c/f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e"
}
],
"title": "media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40207",
"datePublished": "2025-11-12T21:56:35.988Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-12T21:56:35.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40206 (GCVE-0-2025-40206)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_objref: validate objref and objrefmap expressions
Referencing a synproxy stateful object from OUTPUT hook causes kernel
crash due to infinite recursive calls:
BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)
[...]
Call Trace:
__find_rr_leaf+0x99/0x230
fib6_table_lookup+0x13b/0x2d0
ip6_pol_route+0xa4/0x400
fib6_rule_lookup+0x156/0x240
ip6_route_output_flags+0xc6/0x150
__nf_ip6_route+0x23/0x50
synproxy_send_tcp_ipv6+0x106/0x200
synproxy_send_client_synack_ipv6+0x1aa/0x1f0
nft_synproxy_do_eval+0x263/0x310
nft_do_chain+0x5a8/0x5f0 [nf_tables
nft_do_chain_inet+0x98/0x110
nf_hook_slow+0x43/0xc0
__ip6_local_out+0xf0/0x170
ip6_local_out+0x17/0x70
synproxy_send_tcp_ipv6+0x1a2/0x200
synproxy_send_client_synack_ipv6+0x1aa/0x1f0
[...]
Implement objref and objrefmap expression validate functions.
Currently, only NFT_OBJECT_SYNPROXY object type requires validation.
This will also handle a jump to a chain using a synproxy object from the
OUTPUT hook.
Now when trying to reference a synproxy object in the OUTPUT hook, nft
will produce the following error:
synproxy_crash.nft: Error: Could not process rule: Operation not supported
synproxy name mysynproxy
^^^^^^^^^^^^^^^^^^^^^^^^
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_objref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0028e0134c64d9ed21728341a74fcfc59cd0f944",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "4c1cf72ec10be5a9ad264650cadffa1fbce6fabd",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
},
{
"lessThan": "f359b809d54c6e3dd1d039b97e0b68390b0e53e4",
"status": "affected",
"version": "ee394f96ad7517fbc0de9106dcc7ce9efb14f264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_objref.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_objref: validate objref and objrefmap expressions\n\nReferencing a synproxy stateful object from OUTPUT hook causes kernel\ncrash due to infinite recursive calls:\n\nBUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)\n[...]\nCall Trace:\n __find_rr_leaf+0x99/0x230\n fib6_table_lookup+0x13b/0x2d0\n ip6_pol_route+0xa4/0x400\n fib6_rule_lookup+0x156/0x240\n ip6_route_output_flags+0xc6/0x150\n __nf_ip6_route+0x23/0x50\n synproxy_send_tcp_ipv6+0x106/0x200\n synproxy_send_client_synack_ipv6+0x1aa/0x1f0\n nft_synproxy_do_eval+0x263/0x310\n nft_do_chain+0x5a8/0x5f0 [nf_tables\n nft_do_chain_inet+0x98/0x110\n nf_hook_slow+0x43/0xc0\n __ip6_local_out+0xf0/0x170\n ip6_local_out+0x17/0x70\n synproxy_send_tcp_ipv6+0x1a2/0x200\n synproxy_send_client_synack_ipv6+0x1aa/0x1f0\n[...]\n\nImplement objref and objrefmap expression validate functions.\n\nCurrently, only NFT_OBJECT_SYNPROXY object type requires validation.\nThis will also handle a jump to a chain using a synproxy object from the\nOUTPUT hook.\n\nNow when trying to reference a synproxy object in the OUTPUT hook, nft\nwill produce the following error:\n\nsynproxy_crash.nft: Error: Could not process rule: Operation not supported\n synproxy name mysynproxy\n ^^^^^^^^^^^^^^^^^^^^^^^^"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:35.675Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0028e0134c64d9ed21728341a74fcfc59cd0f944"
},
{
"url": "https://git.kernel.org/stable/c/7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0"
},
{
"url": "https://git.kernel.org/stable/c/4c1cf72ec10be5a9ad264650cadffa1fbce6fabd"
},
{
"url": "https://git.kernel.org/stable/c/f359b809d54c6e3dd1d039b97e0b68390b0e53e4"
}
],
"title": "netfilter: nft_objref: validate objref and objrefmap expressions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40206",
"datePublished": "2025-11-12T21:56:35.675Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-12T21:56:35.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40205 (GCVE-0-2025-40205)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
The function btrfs_encode_fh() does not properly account for the three
cases it handles.
Before writing to the file handle (fh), the function only returns to the
user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
However, when a parent exists and the root ID of the parent and the
inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
(10 dwords, 40 bytes).
If *max_len is not large enough, this write goes out of bounds because
BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
BTRFS_FID_SIZE_CONNECTABLE originally returned.
This results in an 8-byte out-of-bounds write at
fid->parent_root_objectid = parent_root_id.
A previous attempt to fix this issue was made but was lost.
https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
Although this issue does not seem to be easily triggerable, it is a
potential memory corruption bug that should be fixed. This patch
resolves the issue by ensuring the function returns the appropriate size
for all three cases and validates that *max_len is large enough before
writing any data.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 Version: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "742b44342204e5dfe3926433823623c1a0c581df",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "d3a9a8e1275eb9b87f006b5562a287aea3f6885f",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "d91f6626133698362bba08fbc04bd72c466806d3",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "0276c8582488022f057b4cec21975a5edf079f47",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "361d67276eb8ec6be8f27f4ad6c6090459438fee",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "43143776b0a7604d873d1a6f3e552a00aa930224",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
},
{
"lessThan": "dff4f9ff5d7f289e4545cc936362e01ed3252742",
"status": "affected",
"version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid potential out-of-bounds in btrfs_encode_fh()\n\nThe function btrfs_encode_fh() does not properly account for the three\ncases it handles.\n\nBefore writing to the file handle (fh), the function only returns to the\nuser BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or\nBTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).\n\nHowever, when a parent exists and the root ID of the parent and the\ninode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT\n(10 dwords, 40 bytes).\n\nIf *max_len is not large enough, this write goes out of bounds because\nBTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than\nBTRFS_FID_SIZE_CONNECTABLE originally returned.\n\nThis results in an 8-byte out-of-bounds write at\nfid-\u003eparent_root_objectid = parent_root_id.\n\nA previous attempt to fix this issue was made but was lost.\n\nhttps://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/\n\nAlthough this issue does not seem to be easily triggerable, it is a\npotential memory corruption bug that should be fixed. This patch\nresolves the issue by ensuring the function returns the appropriate size\nfor all three cases and validates that *max_len is large enough before\nwriting any data."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:35.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db"
},
{
"url": "https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df"
},
{
"url": "https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f"
},
{
"url": "https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3"
},
{
"url": "https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47"
},
{
"url": "https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee"
},
{
"url": "https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224"
},
{
"url": "https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742"
}
],
"title": "btrfs: avoid potential out-of-bounds in btrfs_encode_fh()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40205",
"datePublished": "2025-11-12T21:56:35.403Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-12T21:56:35.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40204 (GCVE-0-2025-40204)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Fix MAC comparison to be constant-time
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b93fa8dc521d00d2d44bf034fb90e0d79b036617",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0e8b8c326c2a6de4d837b1bb034ea704f4690d77",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c05d44ec24126fc283835b68f82dba3ae985209",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed3044b9c810c5c24eb2830053fbfe5fd134c5d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8019b3699289fce3f10b63f98601db97b8d105b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b32ff285ff6f6f1ac1d9495787ccce8837d6405",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd91c79e4f58fbe2898dac84858033700e0e99fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:35.110Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617"
},
{
"url": "https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77"
},
{
"url": "https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c"
},
{
"url": "https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209"
},
{
"url": "https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4"
},
{
"url": "https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0"
},
{
"url": "https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405"
},
{
"url": "https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb"
}
],
"title": "sctp: Fix MAC comparison to be constant-time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40204",
"datePublished": "2025-11-12T21:56:35.110Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-12T21:56:35.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40203 (GCVE-0-2025-40203)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
listmount: don't call path_put() under namespace semaphore
Massage listmount() and make sure we don't call path_put() under the
namespace semaphore. If we put the last reference we're fscked.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "659874b7ee4976ad9ce476e07fd36bc67b3537f1",
"status": "affected",
"version": "b4c2bea8ceaa50cd42a8f73667389d801a3ecf2d",
"versionType": "git"
},
{
"lessThan": "9c80da26fda2fdcaac7f92b5908875b3108830ff",
"status": "affected",
"version": "b4c2bea8ceaa50cd42a8f73667389d801a3ecf2d",
"versionType": "git"
},
{
"lessThan": "c1f86d0ac322c7e77f6f8dbd216c65d39358ffc0",
"status": "affected",
"version": "b4c2bea8ceaa50cd42a8f73667389d801a3ecf2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlistmount: don\u0027t call path_put() under namespace semaphore\n\nMassage listmount() and make sure we don\u0027t call path_put() under the\nnamespace semaphore. If we put the last reference we\u0027re fscked."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:34.801Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/659874b7ee4976ad9ce476e07fd36bc67b3537f1"
},
{
"url": "https://git.kernel.org/stable/c/9c80da26fda2fdcaac7f92b5908875b3108830ff"
},
{
"url": "https://git.kernel.org/stable/c/c1f86d0ac322c7e77f6f8dbd216c65d39358ffc0"
}
],
"title": "listmount: don\u0027t call path_put() under namespace semaphore",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40203",
"datePublished": "2025-11-12T21:56:34.801Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-12T21:56:34.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40202 (GCVE-0-2025-40202)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipmi: Rework user message limit handling
The limit on the number of user messages had a number of issues,
improper counting in some cases and a use after free.
Restructure how this is all done to handle more in the receive message
allocation routine, so all refcouting and user message limit counts
are done in that routine. It's a lot cleaner and safer.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_msghandler.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f63723ca7d7623f9dae1990973cd158671f03c56",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
},
{
"lessThan": "348121b29594d42d1635648fd3ed31dfa25351d5",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
},
{
"lessThan": "53d6e403affbf6df2c859a0ea00ccfc1e72090ca",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
},
{
"lessThan": "0ed73be9a2547ffb9b5c1d879ad9bfab73d920b5",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
},
{
"lessThan": "b52da4054ee0bf9ecb44996f2c83236ff50b3812",
"status": "affected",
"version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_msghandler.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Rework user message limit handling\n\nThe limit on the number of user messages had a number of issues,\nimproper counting in some cases and a use after free.\n\nRestructure how this is all done to handle more in the receive message\nallocation routine, so all refcouting and user message limit counts\nare done in that routine. It\u0027s a lot cleaner and safer."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:34.527Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f63723ca7d7623f9dae1990973cd158671f03c56"
},
{
"url": "https://git.kernel.org/stable/c/348121b29594d42d1635648fd3ed31dfa25351d5"
},
{
"url": "https://git.kernel.org/stable/c/53d6e403affbf6df2c859a0ea00ccfc1e72090ca"
},
{
"url": "https://git.kernel.org/stable/c/0ed73be9a2547ffb9b5c1d879ad9bfab73d920b5"
},
{
"url": "https://git.kernel.org/stable/c/b52da4054ee0bf9ecb44996f2c83236ff50b3812"
}
],
"title": "ipmi: Rework user message limit handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40202",
"datePublished": "2025-11-12T21:56:34.527Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-11-12T21:56:34.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40201 (GCVE-0-2025-40201)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit()
path is very broken.
sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct
itself. If tsk != current and tsk is not a leader, this process can exit/exec
and task_lock(tsk->group_leader) may use the already freed task_struct.
Another problem is that sys_prlimit64() can race with mt-exec which changes
->group_leader. In this case do_prlimit() may take the wrong lock, or (worse)
->group_leader may change between task_lock() and task_unlock().
Change sys_prlimit64() to take tasklist_lock when necessary. This is not
nice, but I don't see a better fix for -stable.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bc0d9315ef5296abb2c9fd840336255850ded18",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
},
{
"lessThan": "132f827e7bac7373e1522e89709d70b43cae5342",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
},
{
"lessThan": "19b45c84bd9fd42fa97ff80c6350d604cb871c75",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
},
{
"lessThan": "6796412decd2d8de8ec708213bbc958fab72f143",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
},
{
"lessThan": "a15f37a40145c986cdf289a4b88390f35efdecc4",
"status": "affected",
"version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/sys.c: fix the racy usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64() paths\n\nThe usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64()-\u003edo_prlimit()\npath is very broken.\n\nsys_prlimit64() does get_task_struct(tsk) but this only protects task_struct\nitself. If tsk != current and tsk is not a leader, this process can exit/exec\nand task_lock(tsk-\u003egroup_leader) may use the already freed task_struct.\n\nAnother problem is that sys_prlimit64() can race with mt-exec which changes\n-\u003egroup_leader. In this case do_prlimit() may take the wrong lock, or (worse)\n-\u003egroup_leader may change between task_lock() and task_unlock().\n\nChange sys_prlimit64() to take tasklist_lock when necessary. This is not\nnice, but I don\u0027t see a better fix for -stable."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:34.063Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bc0d9315ef5296abb2c9fd840336255850ded18"
},
{
"url": "https://git.kernel.org/stable/c/132f827e7bac7373e1522e89709d70b43cae5342"
},
{
"url": "https://git.kernel.org/stable/c/19b45c84bd9fd42fa97ff80c6350d604cb871c75"
},
{
"url": "https://git.kernel.org/stable/c/6796412decd2d8de8ec708213bbc958fab72f143"
},
{
"url": "https://git.kernel.org/stable/c/a15f37a40145c986cdf289a4b88390f35efdecc4"
}
],
"title": "kernel/sys.c: fix the racy usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64() paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40201",
"datePublished": "2025-11-12T21:56:34.063Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:34.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40200 (GCVE-0-2025-40200)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: reject negative file sizes in squashfs_read_inode()
Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.
This commit checks for a negative file size and returns EINVAL.
[phillip@squashfs.org.uk: only need to check 64 bit quantity]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 Version: 6545b246a2c815a8fcd07d58240effb6ec3481b1 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54170057a5fadd24a37b70de41e61d39284d9bd7",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "2871c74caa3f4f05b429e6bfefebac62dbf1b408",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "fbfc745db628de31f5c089147deeb87e95b89e66",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8118f66124895829443d09c207e654adcb2f9321",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8c7aad76751816207fee556d44aa88a710824810",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "875fb3f87ae0225b881319ba016a1a8c4ffd5812",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "f271155ff31aca8ef82c61c8df23ca97e9a77dd4",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: reject negative file sizes in squashfs_read_inode()\n\nSyskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs.\n\nThis warning is ultimately caused because the underlying Squashfs file\nsystem returns a file with a negative file size.\n\nThis commit checks for a negative file size and returns EINVAL.\n\n[phillip@squashfs.org.uk: only need to check 64 bit quantity]"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:33.783Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54170057a5fadd24a37b70de41e61d39284d9bd7"
},
{
"url": "https://git.kernel.org/stable/c/2871c74caa3f4f05b429e6bfefebac62dbf1b408"
},
{
"url": "https://git.kernel.org/stable/c/fbfc745db628de31f5c089147deeb87e95b89e66"
},
{
"url": "https://git.kernel.org/stable/c/8118f66124895829443d09c207e654adcb2f9321"
},
{
"url": "https://git.kernel.org/stable/c/8c7aad76751816207fee556d44aa88a710824810"
},
{
"url": "https://git.kernel.org/stable/c/875fb3f87ae0225b881319ba016a1a8c4ffd5812"
},
{
"url": "https://git.kernel.org/stable/c/f271155ff31aca8ef82c61c8df23ca97e9a77dd4"
},
{
"url": "https://git.kernel.org/stable/c/9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b"
}
],
"title": "Squashfs: reject negative file sizes in squashfs_read_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40200",
"datePublished": "2025-11-12T21:56:33.783Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:33.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40199 (GCVE-0-2025-40199)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches
Helge reported that the introduction of PP_MAGIC_MASK let to crashes on
boot on his 32-bit parisc machine. The cause of this is the mask is set
too wide, so the page_pool_page_is_pp() incurs false positives which
crashes the machine.
Just disabling the check in page_pool_is_pp() will lead to the page_pool
code itself malfunctioning; so instead of doing this, this patch changes
the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel
pointers for page_pool-tagged pages.
The fix relies on the kernel pointers that alias with the pp_magic field
always being above PAGE_OFFSET. With this assumption, we can use the
lowest bit of the value of PAGE_OFFSET as the upper bound of the
PP_DMA_INDEX_MASK, which should avoid the false positives.
Because we cannot rely on PAGE_OFFSET always being a compile-time
constant, nor on it always being >0, we fall back to disabling the
dma_index storage when there are not enough bits available. This leaves
us in the situation we were in before the patch in the Fixes tag, but
only on a subset of architecture configurations. This seems to be the
best we can do until the transition to page types in complete for
page_pool pages.
v2:
- Make sure there's at least 8 bits available and that the PAGE_OFFSET
bit calculation doesn't wrap
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/mm.h",
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15b8a5b4cdc16e9a8bb2a548e12a0fd92997605a",
"status": "affected",
"version": "4f51fb0d257ff4d406ec27966902de075e3b118e",
"versionType": "git"
},
{
"lessThan": "f62934cea32c8f7b11b747975d69bf5afe4264cf",
"status": "affected",
"version": "ee62ce7a1d909ccba0399680a03c2dee83bcae95",
"versionType": "git"
},
{
"lessThan": "95920c2ed02bde551ab654e9749c2ca7bc3100e0",
"status": "affected",
"version": "ee62ce7a1d909ccba0399680a03c2dee83bcae95",
"versionType": "git"
},
{
"status": "affected",
"version": "c30ae60f41f9edd6e1b5cad41cf28ce04dae39e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/mm.h",
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches\n\nHelge reported that the introduction of PP_MAGIC_MASK let to crashes on\nboot on his 32-bit parisc machine. The cause of this is the mask is set\ntoo wide, so the page_pool_page_is_pp() incurs false positives which\ncrashes the machine.\n\nJust disabling the check in page_pool_is_pp() will lead to the page_pool\ncode itself malfunctioning; so instead of doing this, this patch changes\nthe define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel\npointers for page_pool-tagged pages.\n\nThe fix relies on the kernel pointers that alias with the pp_magic field\nalways being above PAGE_OFFSET. With this assumption, we can use the\nlowest bit of the value of PAGE_OFFSET as the upper bound of the\nPP_DMA_INDEX_MASK, which should avoid the false positives.\n\nBecause we cannot rely on PAGE_OFFSET always being a compile-time\nconstant, nor on it always being \u003e0, we fall back to disabling the\ndma_index storage when there are not enough bits available. This leaves\nus in the situation we were in before the patch in the Fixes tag, but\nonly on a subset of architecture configurations. This seems to be the\nbest we can do until the transition to page types in complete for\npage_pool pages.\n\nv2:\n- Make sure there\u0027s at least 8 bits available and that the PAGE_OFFSET\n bit calculation doesn\u0027t wrap"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:33.510Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15b8a5b4cdc16e9a8bb2a548e12a0fd92997605a"
},
{
"url": "https://git.kernel.org/stable/c/f62934cea32c8f7b11b747975d69bf5afe4264cf"
},
{
"url": "https://git.kernel.org/stable/c/95920c2ed02bde551ab654e9749c2ca7bc3100e0"
}
],
"title": "page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40199",
"datePublished": "2025-11-12T21:56:33.510Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:33.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40198 (GCVE-0-2025-40198)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Unlike other strings in the ext4 superblock, we rely on tune2fs to
make sure s_mount_opts is NUL terminated. Harden
parse_apply_sb_mount_options() by treating s_mount_opts as a potential
__nonstring.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 Version: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 Version: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 Version: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 Version: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 Version: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 Version: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bf46ff83a0ef11836e38ebd72cdc5107209342d",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "b2bac84fde28fb6a88817b8b761abda17a1d300b",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "e651294218d2684302ee5ed95ccf381646f3e5b4",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "01829af7656b56d83682b3491265d583d502e502",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "2a0cf438320cdb783e0378570744c0ef0d83e934",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "a6e94557cd05adc82fae0400f6e17745563e5412",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid potential buffer over-read in parse_apply_sb_mount_options()\n\nUnlike other strings in the ext4 superblock, we rely on tune2fs to\nmake sure s_mount_opts is NUL terminated. Harden\nparse_apply_sb_mount_options() by treating s_mount_opts as a potential\n__nonstring."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:33.220Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bf46ff83a0ef11836e38ebd72cdc5107209342d"
},
{
"url": "https://git.kernel.org/stable/c/b2bac84fde28fb6a88817b8b761abda17a1d300b"
},
{
"url": "https://git.kernel.org/stable/c/e651294218d2684302ee5ed95ccf381646f3e5b4"
},
{
"url": "https://git.kernel.org/stable/c/01829af7656b56d83682b3491265d583d502e502"
},
{
"url": "https://git.kernel.org/stable/c/2a0cf438320cdb783e0378570744c0ef0d83e934"
},
{
"url": "https://git.kernel.org/stable/c/a6e94557cd05adc82fae0400f6e17745563e5412"
},
{
"url": "https://git.kernel.org/stable/c/8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8"
}
],
"title": "ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40198",
"datePublished": "2025-11-12T21:56:33.220Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:33.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40197 (GCVE-0-2025-40197)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mc: Clear minor number before put device
The device minor should not be cleared after the device is released.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/mc/mc-devnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd156f44ea82cc249f46c519eed3b2f8983c8002",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "64dbc6f50ce92b7da203b1bcdd96a370bbc9b74d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5d327391f9fafeb0938be4fc538dd0bd54a0b2ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8f52c7f38f0f2ee2afc331e6b873acba5e9490a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bd4e5367d0940ccec4d7546bb6bd019ab2c71aa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7db47e737128b3585ae679b709b85f3f44cd8750",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ac01416d477c2dc6016782635ae022f8cc634a29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8cfc8cec1b4da88a47c243a11f384baefd092a50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/mc/mc-devnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc: Clear minor number before put device\n\nThe device minor should not be cleared after the device is released."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:32.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd156f44ea82cc249f46c519eed3b2f8983c8002"
},
{
"url": "https://git.kernel.org/stable/c/64dbc6f50ce92b7da203b1bcdd96a370bbc9b74d"
},
{
"url": "https://git.kernel.org/stable/c/5d327391f9fafeb0938be4fc538dd0bd54a0b2ef"
},
{
"url": "https://git.kernel.org/stable/c/8f52c7f38f0f2ee2afc331e6b873acba5e9490a8"
},
{
"url": "https://git.kernel.org/stable/c/7bd4e5367d0940ccec4d7546bb6bd019ab2c71aa"
},
{
"url": "https://git.kernel.org/stable/c/7db47e737128b3585ae679b709b85f3f44cd8750"
},
{
"url": "https://git.kernel.org/stable/c/ac01416d477c2dc6016782635ae022f8cc634a29"
},
{
"url": "https://git.kernel.org/stable/c/8cfc8cec1b4da88a47c243a11f384baefd092a50"
}
],
"title": "media: mc: Clear minor number before put device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40197",
"datePublished": "2025-11-12T21:56:32.852Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:32.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40196 (GCVE-0-2025-40196)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: quota: create dedicated workqueue for quota_release_work
There is a kernel panic due to WARN_ONCE when panic_on_warn is set.
This issue occurs when writeback is triggered due to sync call for an
opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance
is needed at sync path, flush for quota_release_work is triggered.
By default quota_release_work is queued to "events_unbound" queue which
does not have WQ_MEM_RECLAIM flag. During f2fs balance "writeback"
workqueue tries to flush quota_release_work causing kernel panic due to
MEM_RECLAIM flag mismatch errors.
This patch creates dedicated workqueue with WQ_MEM_RECLAIM flag
for work quota_release_work.
------------[ cut here ]------------
WARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148
Call trace:
check_flush_dependency+0x13c/0x148
__flush_work+0xd0/0x398
flush_delayed_work+0x44/0x5c
dquot_writeback_dquots+0x54/0x318
f2fs_do_quota_sync+0xb8/0x1a8
f2fs_write_checkpoint+0x3cc/0x99c
f2fs_gc+0x190/0x750
f2fs_balance_fs+0x110/0x168
f2fs_write_single_data_page+0x474/0x7dc
f2fs_write_data_pages+0x7d0/0xd0c
do_writepages+0xe0/0x2f4
__writeback_single_inode+0x44/0x4ac
writeback_sb_inodes+0x30c/0x538
wb_writeback+0xf4/0x440
wb_workfn+0x128/0x5d4
process_scheduled_works+0x1c4/0x45c
worker_thread+0x32c/0x3e8
kthread+0x11c/0x1b0
ret_from_fork+0x10/0x20
Kernel panic - not syncing: kernel: panic_on_warn set ...
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bcacb52a985f1b6d280f698a470b873dfe52728a Version: 8ea87e34792258825d290f4dc5216276e91cb224 Version: ac6f420291b3fee1113f21d612fa88b628afab5b Version: ac6f420291b3fee1113f21d612fa88b628afab5b Version: a5abba5e0e586e258ded3e798fe5f69c66fec198 Version: 6f3821acd7c3143145999248087de5fb4b48cf26 Version: ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb Version: 3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f846eacde280ecc3daedfe001580e3033565179e",
"status": "affected",
"version": "bcacb52a985f1b6d280f698a470b873dfe52728a",
"versionType": "git"
},
{
"lessThan": "f12039df1515d5daf7d92e586ece5cefeb39561b",
"status": "affected",
"version": "8ea87e34792258825d290f4dc5216276e91cb224",
"versionType": "git"
},
{
"lessThan": "8a09a62f0c8c6123c2f1864ed6d5f9eb144afaf0",
"status": "affected",
"version": "ac6f420291b3fee1113f21d612fa88b628afab5b",
"versionType": "git"
},
{
"lessThan": "72b7ceca857f38a8ca7c5629feffc63769638974",
"status": "affected",
"version": "ac6f420291b3fee1113f21d612fa88b628afab5b",
"versionType": "git"
},
{
"status": "affected",
"version": "a5abba5e0e586e258ded3e798fe5f69c66fec198",
"versionType": "git"
},
{
"status": "affected",
"version": "6f3821acd7c3143145999248087de5fb4b48cf26",
"versionType": "git"
},
{
"status": "affected",
"version": "ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb",
"versionType": "git"
},
{
"status": "affected",
"version": "3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.120",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: quota: create dedicated workqueue for quota_release_work\n\nThere is a kernel panic due to WARN_ONCE when panic_on_warn is set.\n\nThis issue occurs when writeback is triggered due to sync call for an\nopened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance\nis needed at sync path, flush for quota_release_work is triggered.\nBy default quota_release_work is queued to \"events_unbound\" queue which\ndoes not have WQ_MEM_RECLAIM flag. During f2fs balance \"writeback\"\nworkqueue tries to flush quota_release_work causing kernel panic due to\nMEM_RECLAIM flag mismatch errors.\n\nThis patch creates dedicated workqueue with WQ_MEM_RECLAIM flag\nfor work quota_release_work.\n\n------------[ cut here ]------------\nWARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148\nCall trace:\n check_flush_dependency+0x13c/0x148\n __flush_work+0xd0/0x398\n flush_delayed_work+0x44/0x5c\n dquot_writeback_dquots+0x54/0x318\n f2fs_do_quota_sync+0xb8/0x1a8\n f2fs_write_checkpoint+0x3cc/0x99c\n f2fs_gc+0x190/0x750\n f2fs_balance_fs+0x110/0x168\n f2fs_write_single_data_page+0x474/0x7dc\n f2fs_write_data_pages+0x7d0/0xd0c\n do_writepages+0xe0/0x2f4\n __writeback_single_inode+0x44/0x4ac\n writeback_sb_inodes+0x30c/0x538\n wb_writeback+0xf4/0x440\n wb_workfn+0x128/0x5d4\n process_scheduled_works+0x1c4/0x45c\n worker_thread+0x32c/0x3e8\n kthread+0x11c/0x1b0\n ret_from_fork+0x10/0x20\nKernel panic - not syncing: kernel: panic_on_warn set ..."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:32.578Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f846eacde280ecc3daedfe001580e3033565179e"
},
{
"url": "https://git.kernel.org/stable/c/f12039df1515d5daf7d92e586ece5cefeb39561b"
},
{
"url": "https://git.kernel.org/stable/c/8a09a62f0c8c6123c2f1864ed6d5f9eb144afaf0"
},
{
"url": "https://git.kernel.org/stable/c/72b7ceca857f38a8ca7c5629feffc63769638974"
}
],
"title": "fs: quota: create dedicated workqueue for quota_release_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40196",
"datePublished": "2025-11-12T21:56:32.578Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:32.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40195 (GCVE-0-2025-40195)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mount: handle NULL values in mnt_ns_release()
When calling in listmount() mnt_ns_release() may be passed a NULL
pointer. Handle that case gracefully.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d68f8a7379d9c61005e982600c61948d4d019bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99ae3e70a293834d0274c46a37120c71a24a4995",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c7ca6a02f8f9549a438a08a23c6327580ecf3d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmount: handle NULL values in mnt_ns_release()\n\nWhen calling in listmount() mnt_ns_release() may be passed a NULL\npointer. Handle that case gracefully."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:32.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d68f8a7379d9c61005e982600c61948d4d019bd"
},
{
"url": "https://git.kernel.org/stable/c/99ae3e70a293834d0274c46a37120c71a24a4995"
},
{
"url": "https://git.kernel.org/stable/c/6c7ca6a02f8f9549a438a08a23c6327580ecf3d6"
}
],
"title": "mount: handle NULL values in mnt_ns_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40195",
"datePublished": "2025-11-12T21:56:32.311Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:32.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40194 (GCVE-0-2025-40194)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
The cpufreq_cpu_put() call in update_qos_request() takes place too early
because the latter subsequently calls freq_qos_update_request() that
indirectly accesses the policy object in question through the QoS request
object passed to it.
Fortunately, update_qos_request() is called under intel_pstate_driver_lock,
so this issue does not matter for changing the intel_pstate operation
mode, but it theoretically can cause a crash to occur on CPU device hot
removal (which currently can only happen in virt, but it is formally
supported nevertheless).
Address this issue by modifying update_qos_request() to drop the
reference to the policy later.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 Version: da5c504c7aae96db68c4b38e2564a88e91842d89 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/intel_pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15ac9579ebdaf22a37d7f60b3a8efc1029732ef9",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "bc26564bcc659beb6d977cd6eb394041ec2f2851",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "0a58d3e77b22b087a57831c87cafd360e144a5bd",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "69a18ff6c60e8e113420f15355fad862cb45d38e",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "57e4a6aadf12578b96a038373cffd54b3a58b092",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
},
{
"lessThan": "69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467",
"status": "affected",
"version": "da5c504c7aae96db68c4b38e2564a88e91842d89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/intel_pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()\n\nThe cpufreq_cpu_put() call in update_qos_request() takes place too early\nbecause the latter subsequently calls freq_qos_update_request() that\nindirectly accesses the policy object in question through the QoS request\nobject passed to it.\n\nFortunately, update_qos_request() is called under intel_pstate_driver_lock,\nso this issue does not matter for changing the intel_pstate operation\nmode, but it theoretically can cause a crash to occur on CPU device hot\nremoval (which currently can only happen in virt, but it is formally\nsupported nevertheless).\n\nAddress this issue by modifying update_qos_request() to drop the\nreference to the policy later."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:32.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15ac9579ebdaf22a37d7f60b3a8efc1029732ef9"
},
{
"url": "https://git.kernel.org/stable/c/bc26564bcc659beb6d977cd6eb394041ec2f2851"
},
{
"url": "https://git.kernel.org/stable/c/ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4"
},
{
"url": "https://git.kernel.org/stable/c/0a58d3e77b22b087a57831c87cafd360e144a5bd"
},
{
"url": "https://git.kernel.org/stable/c/69a18ff6c60e8e113420f15355fad862cb45d38e"
},
{
"url": "https://git.kernel.org/stable/c/ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3"
},
{
"url": "https://git.kernel.org/stable/c/57e4a6aadf12578b96a038373cffd54b3a58b092"
},
{
"url": "https://git.kernel.org/stable/c/69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467"
}
],
"title": "cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40194",
"datePublished": "2025-11-12T21:56:32.025Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:32.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40193 (GCVE-0-2025-40193)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xtensa: simdisk: add input size check in proc_write_simdisk
A malicious user could pass an arbitrarily bad value
to memdup_user_nul(), potentially causing kernel crash.
This follows the same pattern as commit ee76746387f6
("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/xtensa/platforms/iss/simdisk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f40405ccfb87b71175f2d5d004c0b8a0aebcc2cf",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
},
{
"lessThan": "151bd88859474cdaccc1e4c8b21fbf72dbba2ab4",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
},
{
"lessThan": "d381de7fd4cdc928ede96987dc64b133e6480dd6",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
},
{
"lessThan": "a0c2c36d864ef3676b05cfd8c58b72ee3214cb1a",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
},
{
"lessThan": "5d5f08fd0cd970184376bee07d59f635c8403f63",
"status": "affected",
"version": "b6c7e873daf765e41233b9752083b66442703b7a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/xtensa/platforms/iss/simdisk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxtensa: simdisk: add input size check in proc_write_simdisk\n\nA malicious user could pass an arbitrarily bad value\nto memdup_user_nul(), potentially causing kernel crash.\n\nThis follows the same pattern as commit ee76746387f6\n(\"netdevsim: prevent bad user input in nsim_dev_health_break_write()\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:31.751Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f40405ccfb87b71175f2d5d004c0b8a0aebcc2cf"
},
{
"url": "https://git.kernel.org/stable/c/151bd88859474cdaccc1e4c8b21fbf72dbba2ab4"
},
{
"url": "https://git.kernel.org/stable/c/d381de7fd4cdc928ede96987dc64b133e6480dd6"
},
{
"url": "https://git.kernel.org/stable/c/a0c2c36d864ef3676b05cfd8c58b72ee3214cb1a"
},
{
"url": "https://git.kernel.org/stable/c/5d5f08fd0cd970184376bee07d59f635c8403f63"
}
],
"title": "xtensa: simdisk: add input size check in proc_write_simdisk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40193",
"datePublished": "2025-11-12T21:56:31.751Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-11-12T21:56:31.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40192 (GCVE-0-2025-40192)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "ipmi: fix msg stack when IPMI is disconnected"
This reverts commit c608966f3f9c2dca596967501d00753282b395fc.
This patch has a subtle bug that can cause the IPMI driver to go into an
infinite loop if the BMC misbehaves in a certain way. Apparently
certain BMCs do misbehave this way because several reports have come in
recently about this.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_kcs_sm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4aab940ae9eb3ba32e5332b35703673f00d7f37",
"status": "affected",
"version": "c608966f3f9c2dca596967501d00753282b395fc",
"versionType": "git"
},
{
"lessThan": "b9cc7155e65f6feca51bfedd543b9bd300e2be2b",
"status": "affected",
"version": "c608966f3f9c2dca596967501d00753282b395fc",
"versionType": "git"
},
{
"lessThan": "8cf5c24533b8058910fcb83a25a9cf0306383780",
"status": "affected",
"version": "c608966f3f9c2dca596967501d00753282b395fc",
"versionType": "git"
},
{
"lessThan": "5d09ee1bec870263f4ace439402ea840503b503b",
"status": "affected",
"version": "c608966f3f9c2dca596967501d00753282b395fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_kcs_sm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ipmi: fix msg stack when IPMI is disconnected\"\n\nThis reverts commit c608966f3f9c2dca596967501d00753282b395fc.\n\nThis patch has a subtle bug that can cause the IPMI driver to go into an\ninfinite loop if the BMC misbehaves in a certain way. Apparently\ncertain BMCs do misbehave this way because several reports have come in\nrecently about this."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:31.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4aab940ae9eb3ba32e5332b35703673f00d7f37"
},
{
"url": "https://git.kernel.org/stable/c/b9cc7155e65f6feca51bfedd543b9bd300e2be2b"
},
{
"url": "https://git.kernel.org/stable/c/8cf5c24533b8058910fcb83a25a9cf0306383780"
},
{
"url": "https://git.kernel.org/stable/c/5d09ee1bec870263f4ace439402ea840503b503b"
}
],
"title": "Revert \"ipmi: fix msg stack when IPMI is disconnected\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40192",
"datePublished": "2025-11-12T21:56:31.476Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:31.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40191 (GCVE-0-2025-40191)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix kfd process ref leaking when userptr unmapping
kfd_lookup_process_by_pid hold the kfd process reference to ensure it
doesn't get destroyed while sending the segfault event to user space.
Calling kfd_lookup_process_by_pid as function parameter leaks the kfd
process refcount and miss the NULL pointer check if app process is
already destroyed.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60f6112fc9b3ba0eae519f10702c0c13bab45742",
"status": "affected",
"version": "2d274bf7099bc5e95fabaa93f23d0eb2977187ad",
"versionType": "git"
},
{
"lessThan": "58e6fc2fb94f0f409447e5d46cf6a417b6397fbc",
"status": "affected",
"version": "2d274bf7099bc5e95fabaa93f23d0eb2977187ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix kfd process ref leaking when userptr unmapping\n\nkfd_lookup_process_by_pid hold the kfd process reference to ensure it\ndoesn\u0027t get destroyed while sending the segfault event to user space.\n\nCalling kfd_lookup_process_by_pid as function parameter leaks the kfd\nprocess refcount and miss the NULL pointer check if app process is\nalready destroyed."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:31.206Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60f6112fc9b3ba0eae519f10702c0c13bab45742"
},
{
"url": "https://git.kernel.org/stable/c/58e6fc2fb94f0f409447e5d46cf6a417b6397fbc"
}
],
"title": "drm/amdkfd: Fix kfd process ref leaking when userptr unmapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40191",
"datePublished": "2025-11-12T21:56:31.206Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:31.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40190 (GCVE-0-2025-40190)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: guard against EA inode refcount underflow in xattr update
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
inode refcount that is already <= 0 and then applies ref_change (often
-1). That lets the refcount underflow and we proceed with a bogus value,
triggering errors like:
EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
EXT4-fs warning: ea_inode dec ref err=-117
Make the invariant explicit: if the current refcount is non-positive,
treat this as on-disk corruption, emit ext4_error_inode(), and fail the
operation with -EFSCORRUPTED instead of updating the refcount. Delete the
WARN_ONCE() as negative refcounts are now impossible; keep error reporting
in ext4_error_inode().
This prevents the underflow and the follow-on orphan/cleanup churn.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea39e712c2f5ae148ee5515798ae03523673e002",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cfb3e4ddbdc8e02e637b8852540bd4718bf4814",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "505e69f76ac497e788f4ea0267826ec7266b40c8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3d6269028246f4484bfed403c947a114bb583631",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79ea7f3e11effe1bd9e753172981d9029133a278",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6b879c4c6bbaab03c0ad2a983953bd1410bb165e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "440b003f449a4ff2a00b08c8eab9ba5cd28f3943",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "57295e835408d8d425bef58da5253465db3d6888",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: guard against EA inode refcount underflow in xattr update\n\nsyzkaller found a path where ext4_xattr_inode_update_ref() reads an EA\ninode refcount that is already \u003c= 0 and then applies ref_change (often\n-1). That lets the refcount underflow and we proceed with a bogus value,\ntriggering errors like:\n\n EXT4-fs error: EA inode \u003cn\u003e ref underflow: ref_count=-1 ref_change=-1\n EXT4-fs warning: ea_inode dec ref err=-117\n\nMake the invariant explicit: if the current refcount is non-positive,\ntreat this as on-disk corruption, emit ext4_error_inode(), and fail the\noperation with -EFSCORRUPTED instead of updating the refcount. Delete the\nWARN_ONCE() as negative refcounts are now impossible; keep error reporting\nin ext4_error_inode().\n\nThis prevents the underflow and the follow-on orphan/cleanup churn."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:30.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002"
},
{
"url": "https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814"
},
{
"url": "https://git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8"
},
{
"url": "https://git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631"
},
{
"url": "https://git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278"
},
{
"url": "https://git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165e"
},
{
"url": "https://git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943"
},
{
"url": "https://git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888"
}
],
"title": "ext4: guard against EA inode refcount underflow in xattr update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40190",
"datePublished": "2025-11-12T21:56:30.914Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:30.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40189 (GCVE-0-2025-40189)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom
Syzbot reported read of uninitialized variable BUG with following call stack.
lan78xx 8-1:1.0 (unnamed net_device) (uninitialized): EEPROM read operation timeout
=====================================================
BUG: KMSAN: uninit-value in lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline]
BUG: KMSAN: uninit-value in lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]
BUG: KMSAN: uninit-value in lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241
lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline]
lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]
lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241
lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766
lan78xx_probe+0x225c/0x3310 drivers/net/usb/lan78xx.c:4707
Local variable sig.i.i created at:
lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1092 [inline]
lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]
lan78xx_reset+0x77e/0x2cd0 drivers/net/usb/lan78xx.c:3241
lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766
The function lan78xx_read_raw_eeprom failed to properly propagate EEPROM
read timeout errors (-ETIMEDOUT). In the fallthrough path, it first
attempted to restore the pin configuration for LED outputs and then
returned only the status of that restore operation, discarding the
original timeout error.
As a result, callers could mistakenly treat the data buffer as valid
even though the EEPROM read had actually timed out with no data or partial
data.
To fix this, handle errors in restoring the LED pin configuration separately.
If the restore succeeds, return any prior EEPROM timeout error correctly
to the caller.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/lan78xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a72a7c4f675080a324d4c2167bd2314d968279f1",
"status": "affected",
"version": "8b1b2ca83b200fa46fdfb81e80ad5fe34537e6d4",
"versionType": "git"
},
{
"lessThan": "49bdb63ff64469a6de8ea901aef123c75be9bbe7",
"status": "affected",
"version": "8b1b2ca83b200fa46fdfb81e80ad5fe34537e6d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/lan78xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom\n\nSyzbot reported read of uninitialized variable BUG with following call stack.\n\nlan78xx 8-1:1.0 (unnamed net_device) (uninitialized): EEPROM read operation timeout\n=====================================================\nBUG: KMSAN: uninit-value in lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline]\nBUG: KMSAN: uninit-value in lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]\nBUG: KMSAN: uninit-value in lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241\n lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline]\n lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]\n lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241\n lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766\n lan78xx_probe+0x225c/0x3310 drivers/net/usb/lan78xx.c:4707\n\nLocal variable sig.i.i created at:\n lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1092 [inline]\n lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]\n lan78xx_reset+0x77e/0x2cd0 drivers/net/usb/lan78xx.c:3241\n lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766\n\nThe function lan78xx_read_raw_eeprom failed to properly propagate EEPROM\nread timeout errors (-ETIMEDOUT). In the fallthrough path, it first\nattempted to restore the pin configuration for LED outputs and then\nreturned only the status of that restore operation, discarding the\noriginal timeout error.\n\nAs a result, callers could mistakenly treat the data buffer as valid\neven though the EEPROM read had actually timed out with no data or partial\ndata.\n\nTo fix this, handle errors in restoring the LED pin configuration separately.\nIf the restore succeeds, return any prior EEPROM timeout error correctly\nto the caller."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:30.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a72a7c4f675080a324d4c2167bd2314d968279f1"
},
{
"url": "https://git.kernel.org/stable/c/49bdb63ff64469a6de8ea901aef123c75be9bbe7"
}
],
"title": "net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40189",
"datePublished": "2025-11-12T21:56:30.575Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:30.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40188 (GCVE-0-2025-40188)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pwm: berlin: Fix wrong register in suspend/resume
The 'enable' register should be BERLIN_PWM_EN rather than
BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there
will be cpu exception then kernel panic during suspend/resume.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 Version: bbf0722c1c663b08f612bd8c58af27f45aa84862 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-berlin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da3cadb8b0f35d845b3e2fbb7d978cf6473fd221",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "9ee5eb3d09217f115f63b7c102d110ccdb1b26af",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "fd017aabd4273216ed4223f17991fc087163771f",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "dc3a1c6237e7f8046e6d4109bcf1998452ccafad",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "d9457e6258750692c3b27f80880a613178053c25",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "6cef9e4425143b19742044c8a675335821fa1994",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
},
{
"lessThan": "3a4b9d027e4061766f618292df91760ea64a1fcc",
"status": "affected",
"version": "bbf0722c1c663b08f612bd8c58af27f45aa84862",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pwm/pwm-berlin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: berlin: Fix wrong register in suspend/resume\n\nThe \u0027enable\u0027 register should be BERLIN_PWM_EN rather than\nBERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there\nwill be cpu exception then kernel panic during suspend/resume."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:30.108Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da3cadb8b0f35d845b3e2fbb7d978cf6473fd221"
},
{
"url": "https://git.kernel.org/stable/c/5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444"
},
{
"url": "https://git.kernel.org/stable/c/9ee5eb3d09217f115f63b7c102d110ccdb1b26af"
},
{
"url": "https://git.kernel.org/stable/c/fd017aabd4273216ed4223f17991fc087163771f"
},
{
"url": "https://git.kernel.org/stable/c/dc3a1c6237e7f8046e6d4109bcf1998452ccafad"
},
{
"url": "https://git.kernel.org/stable/c/d9457e6258750692c3b27f80880a613178053c25"
},
{
"url": "https://git.kernel.org/stable/c/6cef9e4425143b19742044c8a675335821fa1994"
},
{
"url": "https://git.kernel.org/stable/c/3a4b9d027e4061766f618292df91760ea64a1fcc"
}
],
"title": "pwm: berlin: Fix wrong register in suspend/resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40188",
"datePublished": "2025-11-12T21:56:30.108Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:30.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40187 (GCVE-0-2025-40187)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0
and sctp_ulpevent_make_authkey() returns 0, then the variable
ai_ev remains zero and the zero will be dereferenced
in the sctp_ulpevent_free() function.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b Version: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1014b83778c8677f1d7a57c26dc728baa801ac62",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "7f702f85df0266ed7b5bab81ba50394c92f3c928",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "dbceedc0213e75bf3e9f9f9e2f66b10699d004fe",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "025419f4e216a3ae0d0cec622262e98e8078c447",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "c21f45cfa4a9526b34d76b397c9ef080668b6e73",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "d0e8f1445c19b1786759ba72a38267e1449bab7e",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "badbd79313e6591616c1b78e29a9b71efed7f035",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "2f3119686ef50319490ccaec81a575973da98815",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()\n\nIf new_asoc-\u003epeer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0\nand sctp_ulpevent_make_authkey() returns 0, then the variable\nai_ev remains zero and the zero will be dereferenced\nin the sctp_ulpevent_free() function."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:29.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1014b83778c8677f1d7a57c26dc728baa801ac62"
},
{
"url": "https://git.kernel.org/stable/c/7f702f85df0266ed7b5bab81ba50394c92f3c928"
},
{
"url": "https://git.kernel.org/stable/c/dbceedc0213e75bf3e9f9f9e2f66b10699d004fe"
},
{
"url": "https://git.kernel.org/stable/c/025419f4e216a3ae0d0cec622262e98e8078c447"
},
{
"url": "https://git.kernel.org/stable/c/c21f45cfa4a9526b34d76b397c9ef080668b6e73"
},
{
"url": "https://git.kernel.org/stable/c/d0e8f1445c19b1786759ba72a38267e1449bab7e"
},
{
"url": "https://git.kernel.org/stable/c/badbd79313e6591616c1b78e29a9b71efed7f035"
},
{
"url": "https://git.kernel.org/stable/c/2f3119686ef50319490ccaec81a575973da98815"
}
],
"title": "net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40187",
"datePublished": "2025-11-12T21:56:29.504Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:29.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40186 (GCVE-0-2025-40186)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
syzbot reported the splat below in tcp_conn_request(). [0]
If a listener is close()d while a TFO socket is being processed in
tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk
and calls inet_child_forget(), which calls tcp_disconnect() for the
TFO socket.
After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),
where reqsk_put() is called due to !reqsk->sk.
Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the
last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the
drop_and_free label causes the refcount underflow for the listener
and double-free of the reqsk.
Let's remove reqsk_fastopen_remove() in tcp_conn_request().
Note that other callers make sure tp->fastopen_rsk is not NULL.
[0]:
refcount_t: underflow; use-after-free.
WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)
Modules linked in:
CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)
Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6
RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246
RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900
RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280
RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280
R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100
R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8
FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0
Call Trace:
<IRQ>
tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)
tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)
tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)
tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)
ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)
ip6_input (net/ipv6/ip6_input.c:500)
ipv6_rcv (net/ipv6/ip6_input.c:311)
__netif_receive_skb (net/core/dev.c:6104)
process_backlog (net/core/dev.c:6456)
__napi_poll (net/core/dev.c:7506)
net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480)
</IRQ>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7ec092a91ff351dcde89c23e795b73a328274db6 Version: a4378dedd6e07e62f2fccb17d78c9665718763d0 Version: 33a4fdf0b4a25f8ce65380c3b0136b407ca57609 Version: 17d699727577814198d744d6afe54735c6b54c99 Version: dfd06131107e7b699ef1e2a24ed2f7d17c917753 Version: fa4749c065644af4db496b338452a69a3e5147d9 Version: 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 Version: 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 Version: ae313d14b45eca7a6bb29cb9bf396d977e7d28fb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e359b742eac1eac75cff4e38ee2e8cea492acd9b",
"status": "affected",
"version": "7ec092a91ff351dcde89c23e795b73a328274db6",
"versionType": "git"
},
{
"lessThan": "ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d",
"status": "affected",
"version": "a4378dedd6e07e62f2fccb17d78c9665718763d0",
"versionType": "git"
},
{
"lessThan": "eb85ad5f23268d64b037bfb545cbcba3752f90c7",
"status": "affected",
"version": "33a4fdf0b4a25f8ce65380c3b0136b407ca57609",
"versionType": "git"
},
{
"lessThan": "643a94b0cf767325e953591c212be2eb826b9d7f",
"status": "affected",
"version": "17d699727577814198d744d6afe54735c6b54c99",
"versionType": "git"
},
{
"lessThan": "422c1c173c39bbbae1e0eaaf8aefe40b2596233b",
"status": "affected",
"version": "dfd06131107e7b699ef1e2a24ed2f7d17c917753",
"versionType": "git"
},
{
"lessThan": "c11ace909e873118295e9eb22dc8c58b0b50eb32",
"status": "affected",
"version": "fa4749c065644af4db496b338452a69a3e5147d9",
"versionType": "git"
},
{
"lessThan": "64dc47a13aa3d9daf7cec29b44dca8e22a6aea15",
"status": "affected",
"version": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"versionType": "git"
},
{
"lessThan": "2e7cbbbe3d61c63606994b7ff73c72537afe2e1c",
"status": "affected",
"version": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"versionType": "git"
},
{
"status": "affected",
"version": "ae313d14b45eca7a6bb29cb9bf396d977e7d28fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.300",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "6.1.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.6.108",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.12.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().\n\nsyzbot reported the splat below in tcp_conn_request(). [0]\n\nIf a listener is close()d while a TFO socket is being processed in\ntcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk-\u003esk\nand calls inet_child_forget(), which calls tcp_disconnect() for the\nTFO socket.\n\nAfter the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),\nwhere reqsk_put() is called due to !reqsk-\u003esk.\n\nThen, reqsk_fastopen_remove() in tcp_conn_request() decrements the\nlast req-\u003ersk_refcnt and frees reqsk, and __reqsk_free() at the\ndrop_and_free label causes the refcount underflow for the listener\nand double-free of the reqsk.\n\nLet\u0027s remove reqsk_fastopen_remove() in tcp_conn_request().\n\nNote that other callers make sure tp-\u003efastopen_rsk is not NULL.\n\n[0]:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)\nModules linked in:\nCPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:refcount_warn_saturate (lib/refcount.c:28)\nCode: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff \u003c0f\u003e 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6\nRSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246\nRAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900\nRDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280\nRBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280\nR10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100\nR13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8\nFS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)\n tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)\n tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)\n ip6_input (net/ipv6/ip6_input.c:500)\n ipv6_rcv (net/ipv6/ip6_input.c:311)\n __netif_receive_skb (net/core/dev.c:6104)\n process_backlog (net/core/dev.c:6456)\n __napi_poll (net/core/dev.c:7506)\n net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480)\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:29.033Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b"
},
{
"url": "https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d"
},
{
"url": "https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7"
},
{
"url": "https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f"
},
{
"url": "https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b"
},
{
"url": "https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32"
},
{
"url": "https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15"
},
{
"url": "https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c"
}
],
"title": "tcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40186",
"datePublished": "2025-11-12T21:56:29.033Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:29.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40185 (GCVE-0-2025-40185)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: ice_adapter: release xa entry on adapter allocation failure
When ice_adapter_new() fails, the reserved XArray entry created by
xa_insert() is not released. This causes subsequent insertions at
the same index to return -EBUSY, potentially leading to
NULL pointer dereferences.
Reorder the operations as suggested by Przemek Kitszel:
1. Check if adapter already exists (xa_load)
2. Reserve the XArray slot (xa_reserve)
3. Allocate the adapter (ice_adapter_new)
4. Store the adapter (xa_store)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_adapter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b9269de9815fc34d93dab90bd5169bacbe78e70",
"status": "affected",
"version": "0f0023c649c7bc50543fbe6e1801eb6357b8bd63",
"versionType": "git"
},
{
"lessThan": "794abb265de3e792167fe3ea0440c064c722bb84",
"status": "affected",
"version": "0f0023c649c7bc50543fbe6e1801eb6357b8bd63",
"versionType": "git"
},
{
"lessThan": "2db687f3469dbc5c59bc53d55acafd75d530b497",
"status": "affected",
"version": "0f0023c649c7bc50543fbe6e1801eb6357b8bd63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_adapter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: ice_adapter: release xa entry on adapter allocation failure\n\nWhen ice_adapter_new() fails, the reserved XArray entry created by\nxa_insert() is not released. This causes subsequent insertions at\nthe same index to return -EBUSY, potentially leading to\nNULL pointer dereferences.\n\nReorder the operations as suggested by Przemek Kitszel:\n1. Check if adapter already exists (xa_load)\n2. Reserve the XArray slot (xa_reserve)\n3. Allocate the adapter (ice_adapter_new)\n4. Store the adapter (xa_store)"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:28.561Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b9269de9815fc34d93dab90bd5169bacbe78e70"
},
{
"url": "https://git.kernel.org/stable/c/794abb265de3e792167fe3ea0440c064c722bb84"
},
{
"url": "https://git.kernel.org/stable/c/2db687f3469dbc5c59bc53d55acafd75d530b497"
}
],
"title": "ice: ice_adapter: release xa entry on adapter allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40185",
"datePublished": "2025-11-12T21:56:28.561Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:28.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40184 (GCVE-0-2025-40184)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Fix debug checking for np-guests using huge mappings
When running with transparent huge pages and CONFIG_NVHE_EL2_DEBUG then
the debug checking in assert_host_shared_guest() fails on the launch of an
np-guest. This WARN_ON() causes a panic and generates the stack below.
In __pkvm_host_relax_perms_guest() the debug checking assumes the mapping
is a single page but it may be a block map. Update the checking so that
the size is not checked and just assumes the correct size.
While we're here make the same fix in __pkvm_host_mkyoung_guest().
Info: # lkvm run -k /share/arch/arm64/boot/Image -m 704 -c 8 --name guest-128
Info: Removed ghost socket file "/.lkvm//guest-128.sock".
[ 1406.521757] kvm [141]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:1088!
[ 1406.521804] kvm [141]: nVHE call trace:
[ 1406.521828] kvm [141]: [<ffff8000811676b4>] __kvm_nvhe_hyp_panic+0xb4/0xe8
[ 1406.521946] kvm [141]: [<ffff80008116d12c>] __kvm_nvhe_assert_host_shared_guest+0xb0/0x10c
[ 1406.522049] kvm [141]: [<ffff80008116f068>] __kvm_nvhe___pkvm_host_relax_perms_guest+0x48/0x104
[ 1406.522157] kvm [141]: [<ffff800081169df8>] __kvm_nvhe_handle___pkvm_host_relax_perms_guest+0x64/0x7c
[ 1406.522250] kvm [141]: [<ffff800081169f0c>] __kvm_nvhe_handle_trap+0x8c/0x1a8
[ 1406.522333] kvm [141]: [<ffff8000811680fc>] __kvm_nvhe___skip_pauth_save+0x4/0x4
[ 1406.522454] kvm [141]: ---[ end nVHE call trace ]---
[ 1406.522477] kvm [141]: Hyp Offset: 0xfffece8013600000
[ 1406.522554] Kernel panic - not syncing: HYP panic:
[ 1406.522554] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800
[ 1406.522554] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000
[ 1406.522554] VCPU:0000000000000000
[ 1406.523337] CPU: 3 UID: 0 PID: 141 Comm: kvm-vcpu-0 Not tainted 6.16.0-rc7 #97 PREEMPT
[ 1406.523485] Hardware name: FVP Base RevC (DT)
[ 1406.523566] Call trace:
[ 1406.523629] show_stack+0x18/0x24 (C)
[ 1406.523753] dump_stack_lvl+0xd4/0x108
[ 1406.523899] dump_stack+0x18/0x24
[ 1406.524040] panic+0x3d8/0x448
[ 1406.524184] nvhe_hyp_panic_handler+0x10c/0x23c
[ 1406.524325] kvm_handle_guest_abort+0x68c/0x109c
[ 1406.524500] handle_exit+0x60/0x17c
[ 1406.524630] kvm_arch_vcpu_ioctl_run+0x2e0/0x8c0
[ 1406.524794] kvm_vcpu_ioctl+0x1a8/0x9cc
[ 1406.524919] __arm64_sys_ioctl+0xac/0x104
[ 1406.525067] invoke_syscall+0x48/0x10c
[ 1406.525189] el0_svc_common.constprop.0+0x40/0xe0
[ 1406.525322] do_el0_svc+0x1c/0x28
[ 1406.525441] el0_svc+0x38/0x120
[ 1406.525588] el0t_64_sync_handler+0x10c/0x138
[ 1406.525750] el0t_64_sync+0x1ac/0x1b0
[ 1406.525876] SMP: stopping secondary CPUs
[ 1406.525965] Kernel Offset: disabled
[ 1406.526032] CPU features: 0x0000,00000080,8e134ca1,9446773f
[ 1406.526130] Memory Limit: none
[ 1406.959099] ---[ end Kernel panic - not syncing: HYP panic:
[ 1406.959099] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800
[ 1406.959099] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000
[ 1406.959099] VCPU:0000000000000000 ]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/hyp/nvhe/mem_protect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f7af3d8a1177c807d1f2563c7c171700b020656",
"status": "affected",
"version": "f28f1d02f4eaac05c2ad6bf7264a8696dc21d011",
"versionType": "git"
},
{
"lessThan": "2ba972bf71cb71d2127ec6c3db1ceb6dd0c73173",
"status": "affected",
"version": "f28f1d02f4eaac05c2ad6bf7264a8696dc21d011",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/hyp/nvhe/mem_protect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix debug checking for np-guests using huge mappings\n\nWhen running with transparent huge pages and CONFIG_NVHE_EL2_DEBUG then\nthe debug checking in assert_host_shared_guest() fails on the launch of an\nnp-guest. This WARN_ON() causes a panic and generates the stack below.\n\nIn __pkvm_host_relax_perms_guest() the debug checking assumes the mapping\nis a single page but it may be a block map. Update the checking so that\nthe size is not checked and just assumes the correct size.\n\nWhile we\u0027re here make the same fix in __pkvm_host_mkyoung_guest().\n\n Info: # lkvm run -k /share/arch/arm64/boot/Image -m 704 -c 8 --name guest-128\n Info: Removed ghost socket file \"/.lkvm//guest-128.sock\".\n[ 1406.521757] kvm [141]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:1088!\n[ 1406.521804] kvm [141]: nVHE call trace:\n[ 1406.521828] kvm [141]: [\u003cffff8000811676b4\u003e] __kvm_nvhe_hyp_panic+0xb4/0xe8\n[ 1406.521946] kvm [141]: [\u003cffff80008116d12c\u003e] __kvm_nvhe_assert_host_shared_guest+0xb0/0x10c\n[ 1406.522049] kvm [141]: [\u003cffff80008116f068\u003e] __kvm_nvhe___pkvm_host_relax_perms_guest+0x48/0x104\n[ 1406.522157] kvm [141]: [\u003cffff800081169df8\u003e] __kvm_nvhe_handle___pkvm_host_relax_perms_guest+0x64/0x7c\n[ 1406.522250] kvm [141]: [\u003cffff800081169f0c\u003e] __kvm_nvhe_handle_trap+0x8c/0x1a8\n[ 1406.522333] kvm [141]: [\u003cffff8000811680fc\u003e] __kvm_nvhe___skip_pauth_save+0x4/0x4\n[ 1406.522454] kvm [141]: ---[ end nVHE call trace ]---\n[ 1406.522477] kvm [141]: Hyp Offset: 0xfffece8013600000\n[ 1406.522554] Kernel panic - not syncing: HYP panic:\n[ 1406.522554] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800\n[ 1406.522554] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000\n[ 1406.522554] VCPU:0000000000000000\n[ 1406.523337] CPU: 3 UID: 0 PID: 141 Comm: kvm-vcpu-0 Not tainted 6.16.0-rc7 #97 PREEMPT\n[ 1406.523485] Hardware name: FVP Base RevC (DT)\n[ 1406.523566] Call trace:\n[ 1406.523629] show_stack+0x18/0x24 (C)\n[ 1406.523753] dump_stack_lvl+0xd4/0x108\n[ 1406.523899] dump_stack+0x18/0x24\n[ 1406.524040] panic+0x3d8/0x448\n[ 1406.524184] nvhe_hyp_panic_handler+0x10c/0x23c\n[ 1406.524325] kvm_handle_guest_abort+0x68c/0x109c\n[ 1406.524500] handle_exit+0x60/0x17c\n[ 1406.524630] kvm_arch_vcpu_ioctl_run+0x2e0/0x8c0\n[ 1406.524794] kvm_vcpu_ioctl+0x1a8/0x9cc\n[ 1406.524919] __arm64_sys_ioctl+0xac/0x104\n[ 1406.525067] invoke_syscall+0x48/0x10c\n[ 1406.525189] el0_svc_common.constprop.0+0x40/0xe0\n[ 1406.525322] do_el0_svc+0x1c/0x28\n[ 1406.525441] el0_svc+0x38/0x120\n[ 1406.525588] el0t_64_sync_handler+0x10c/0x138\n[ 1406.525750] el0t_64_sync+0x1ac/0x1b0\n[ 1406.525876] SMP: stopping secondary CPUs\n[ 1406.525965] Kernel Offset: disabled\n[ 1406.526032] CPU features: 0x0000,00000080,8e134ca1,9446773f\n[ 1406.526130] Memory Limit: none\n[ 1406.959099] ---[ end Kernel panic - not syncing: HYP panic:\n[ 1406.959099] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800\n[ 1406.959099] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000\n[ 1406.959099] VCPU:0000000000000000 ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:28.044Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f7af3d8a1177c807d1f2563c7c171700b020656"
},
{
"url": "https://git.kernel.org/stable/c/2ba972bf71cb71d2127ec6c3db1ceb6dd0c73173"
}
],
"title": "KVM: arm64: Fix debug checking for np-guests using huge mappings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40184",
"datePublished": "2025-11-12T21:56:28.044Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:28.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40183 (GCVE-0-2025-40183)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
Cilium has a BPF egress gateway feature which forces outgoing K8s Pod
traffic to pass through dedicated egress gateways which then SNAT the
traffic in order to interact with stable IPs outside the cluster.
The traffic is directed to the gateway via vxlan tunnel in collect md
mode. A recent BPF change utilized the bpf_redirect_neigh() helper to
forward packets after the arrival and decap on vxlan, which turned out
over time that the kmalloc-256 slab usage in kernel was ever-increasing.
The issue was that vxlan allocates the metadata_dst object and attaches
it through a fake dst entry to the skb. The latter was never released
though given bpf_redirect_neigh() was merely setting the new dst entry
via skb_dst_set() without dropping an existing one first.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 Version: b4ab31414970a7a03a5d55d75083f2c101a30592 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fba965a9aac0fa3cbd8138436a37af9ab466d79",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "057764172fcc6ee2ccb6c41351a55a9f054dc8fd",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "2e67c2037382abb56497bb9d7b7e10be04eb5598",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "b6bfe44b6dbb14a31d86c475cdc9c7689534fb09",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "f36a305d30f557306d87c787ddffe094ac5dac89",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "7404ce888a45eb7da0508b7cbbe6f2e95302eeb8",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
},
{
"lessThan": "23f3770e1a53e6c7a553135011f547209e141e72",
"status": "affected",
"version": "b4ab31414970a7a03a5d55d75083f2c101a30592",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}\n\nCilium has a BPF egress gateway feature which forces outgoing K8s Pod\ntraffic to pass through dedicated egress gateways which then SNAT the\ntraffic in order to interact with stable IPs outside the cluster.\n\nThe traffic is directed to the gateway via vxlan tunnel in collect md\nmode. A recent BPF change utilized the bpf_redirect_neigh() helper to\nforward packets after the arrival and decap on vxlan, which turned out\nover time that the kmalloc-256 slab usage in kernel was ever-increasing.\n\nThe issue was that vxlan allocates the metadata_dst object and attaches\nit through a fake dst entry to the skb. The latter was never released\nthough given bpf_redirect_neigh() was merely setting the new dst entry\nvia skb_dst_set() without dropping an existing one first."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:27.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fba965a9aac0fa3cbd8138436a37af9ab466d79"
},
{
"url": "https://git.kernel.org/stable/c/057764172fcc6ee2ccb6c41351a55a9f054dc8fd"
},
{
"url": "https://git.kernel.org/stable/c/2e67c2037382abb56497bb9d7b7e10be04eb5598"
},
{
"url": "https://git.kernel.org/stable/c/b6bfe44b6dbb14a31d86c475cdc9c7689534fb09"
},
{
"url": "https://git.kernel.org/stable/c/f36a305d30f557306d87c787ddffe094ac5dac89"
},
{
"url": "https://git.kernel.org/stable/c/7404ce888a45eb7da0508b7cbbe6f2e95302eeb8"
},
{
"url": "https://git.kernel.org/stable/c/23f3770e1a53e6c7a553135011f547209e141e72"
}
],
"title": "bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40183",
"datePublished": "2025-11-12T21:56:27.429Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:27.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40182 (GCVE-0-2025-40182)
Vulnerability from cvelistv5
Published
2025-11-12 21:56
Modified
2025-11-12 21:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: skcipher - Fix reqsize handling
Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg")
introduced cra_reqsize field in crypto_alg struct to replace type
specific reqsize fields. It looks like this was introduced specifically
for ahash and acomp from the commit description as subsequent commits
add necessary changes in these alg frameworks.
However, this is being recommended for use in all crypto algs [1]
instead of setting reqsize using crypto_*_set_reqsize(). Using
cra_reqsize in skcipher algorithms, hence, causes memory
corruptions and crashes as the underlying functions in the algorithm
framework have not been updated to set the reqsize properly from
cra_reqsize. [2]
Add proper set_reqsize calls in the skcipher init function to
properly initialize reqsize for these algorithms in the framework.
[1]: https://lore.kernel.org/linux-crypto/aCL8BxpHr5OpT04k@gondor.apana.org.au/
[2]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/skcipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f041339d6b9a5a46437f0c48fc7279c92af7a513",
"status": "affected",
"version": "afddce13ce81d52a13898fa0700917835c71acd6",
"versionType": "git"
},
{
"lessThan": "229c586b5e86979badb7cb0d38717b88a9e95ddd",
"status": "affected",
"version": "afddce13ce81d52a13898fa0700917835c71acd6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/skcipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: skcipher - Fix reqsize handling\n\nCommit afddce13ce81d (\"crypto: api - Add reqsize to crypto_alg\")\nintroduced cra_reqsize field in crypto_alg struct to replace type\nspecific reqsize fields. It looks like this was introduced specifically\nfor ahash and acomp from the commit description as subsequent commits\nadd necessary changes in these alg frameworks.\n\nHowever, this is being recommended for use in all crypto algs [1]\ninstead of setting reqsize using crypto_*_set_reqsize(). Using\ncra_reqsize in skcipher algorithms, hence, causes memory\ncorruptions and crashes as the underlying functions in the algorithm\nframework have not been updated to set the reqsize properly from\ncra_reqsize. [2]\n\nAdd proper set_reqsize calls in the skcipher init function to\nproperly initialize reqsize for these algorithms in the framework.\n\n[1]: https://lore.kernel.org/linux-crypto/aCL8BxpHr5OpT04k@gondor.apana.org.au/\n[2]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T21:56:26.699Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f041339d6b9a5a46437f0c48fc7279c92af7a513"
},
{
"url": "https://git.kernel.org/stable/c/229c586b5e86979badb7cb0d38717b88a9e95ddd"
}
],
"title": "crypto: skcipher - Fix reqsize handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40182",
"datePublished": "2025-11-12T21:56:26.699Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-11-12T21:56:26.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}